All new accounts will now have their passwords stored in SHA256.

Supersedes all previous authentication methods, except VAULT TOKEN.

3 files changed, 6 insertions, 3 deletions

diff --git a/src/login/account.h b/src/login/account.h
index 312bb85c5..c00afaae6 100644
--- a/src/login/account.h
+++ b/src/login/account.h
@@ -37,7 +37,7 @@ struct mmo_account
 {
 	int account_id;
 	char userid[NAME_LENGTH];
-	char pass[32+1];            // 23+1 for plaintext, 32+1 for md5-ed passwords
+	char pass[64+1];            // 23+1 for plaintext, 32+1 for md5-ed passwords
 	char sex;                   // gender (M/F/S)
 	char email[40];             // e-mail (by default: a@a.com)
 	int group_id;               // player group id
diff --git a/src/login/login.c b/src/login/login.c
index 2f40498bf..68b53608f 100644
--- a/src/login/login.c
+++ b/src/login/login.c
@@ -1033,7 +1033,10 @@ static int login_mmo_auth_new(const char *userid, const char *pass, const char s
 	memset(&acc, '\0', sizeof(acc));
 	acc.account_id = -1; // assigned by account db
 	safestrncpy(acc.userid, userid, sizeof(acc.userid));
-	safestrncpy(acc.pass, pass, sizeof(acc.pass));
+    char *spass;
+    spass = (char *)aMalloc((64+1)*sizeof(char));
+    md5->sha256(pass, spass);
+	safestrncpy(acc.pass, spass, sizeof(acc.pass));
 	acc.sex = sex;
 	safestrncpy(acc.email, "a@a.com", sizeof(acc.email));
 	acc.expiration_time = (login->config->start_limited_time != -1) ? time(NULL) + login->config->start_limited_time : 0;
diff --git a/src/login/login.h b/src/login/login.h
index 7f74057c6..2bdf68f50 100644
--- a/src/login/login.h
+++ b/src/login/login.h
@@ -51,7 +51,7 @@ enum password_enc {
 
 #define PASSWORDENC PWENC_BOTH
 
-#define PASSWD_LEN (32+1) // 23+1 for plaintext, 32+1 for md5-ed passwords
+#define PASSWD_LEN (64+1) // 23+1 for plaintext, 32+1 for md5-ed passwords
 
 struct login_session_data {
 	int account_id;