Difference between revisions of "Security"

Password Management

Passwords are stored securely using your operating system's built-in credential manager.

Available in Mudlet4.20+

How It Works

When you save a password in Mudlet (such as your game character password), it is automatically encrypted and stored in the most secure location available:

• macOS: Stored in your macOS Keychain
• Windows: Stored in Windows Credential Manager
• Linux: Stored in your system's Secret Service (like GNOME Keyring or KWallet)
• Portable Mode: Encrypted files in your Mudlet profile folder

Security Features

Your passwords are protected by:

• System-level encryption - Your operating system handles the encryption using industry-standard methods
• Per-profile isolation - Each Mudlet profile's passwords are kept separate
• Automatic fallback - If the system keychain is unavailable, Mudlet uses AES-256 encrypted files
• No plaintext storage - Passwords are never stored in readable form

What This Means for You

You don't need to do anything special

Mudlet handles password security automatically. Just enter your password when creating or editing a profile, and Mudlet takes care of the rest.

Your passwords are more secure

By using your operating system's credential manager, your passwords benefit from the same security that protects your system passwords and other sensitive data.

Portable installations still work

If you use Mudlet in portable mode (running from a USB drive, for example), passwords are stored as encrypted files that travel with your installation.

Multiple profiles are supported

Each profile's passwords are kept separate and secure, even if you have multiple characters on the same game.

Managing Your Passwords

Your passwords are automatically retrieved when you connect to a game. You can view or change them in the Connection Profiles dialog:

1. Click the Connect button on the main toolbar (or press Alt+C)
2. Select your profile from the list
3. Click the Options tab
4. Your password will be securely loaded from storage and can be edited here

You can also create new profiles with passwords directly from this dialog.

Portable Mode Details

When running Mudlet in portable mode (indicated by a portable.txt file in your Mudlet directory), passwords are stored differently than standard installations:

How Portable Password Storage Works

• Encrypted storage - Passwords are encrypted using AES-256 and stored in your profile's credentials/ folder
• Self-contained - The encryption key is stored within your profile directory, not in any system-specific location
• Truly portable - You can copy your entire Mudlet folder (including profiles) to another computer or operating system, and your passwords will still work

What Gets Stored Where

In portable mode, each profile contains:

~/.config/mudlet/profiles/YourProfile/
  ├── encryption_key           ← Your profile's unique encryption key
  └── credentials/
      └── character.cred       ← Your encrypted password

When you copy your profiles to a new machine, both files travel together, allowing seamless decryption on the new system.

Moving Between Computers

To transfer your portable Mudlet installation with passwords intact:

1. Copy your entire Mudlet folder (or at minimum, the profiles/ directory)
2. Ensure all files are copied, including the encryption_key file in each profile
3. Your passwords will work on the new machine with no additional steps

Security Considerations

While portable mode encrypts your passwords (unlike pre-4.20 versions which stored them in plain text), be aware that:

• Anyone with access to your Mudlet profile folder could potentially decrypt your passwords
• For maximum security on shared or public computers, consider not saving passwords and entering them manually each session
• The encryption protects against casual snooping but is not designed to resist determined attacks with full file access

Technical Details

For users interested in the technical implementation:

• Passwords in system keychains use the native encryption provided by your OS
• File-based storage uses AES-256 encryption with PBKDF2-SHA256 key derivation
• Each profile has a unique encryption key stored in its profile directory
• HMAC authentication ensures password integrity
• All password operations include timeout protection and error handling

Privacy

Your passwords are stored locally on your computer and are never transmitted to Mudlet's servers or any third party. The only time a password is sent over the network is when you connect to your game server (using the connection method you've chosen).

Password Masking Feature

Mudlet automatically masks your password with asterisks when you connect to a game server that requests authentication. This protects your password from being visible on screen.

See Also: ECHO Telnet Option

Disabling Password Masking

For users in trusted environments who prefer to see what they're typing, during password entry you can find an icon in the shape of an eye on the right side of the command line to unmask the password, or you can disable permanently disable password masking:

1. Open the Profile Preferences dialog (Settings menu)
2. Go to the Special Options tab
3. Check the Disable password masking checkbox

Using Older Mudlet Versions (Before 4.20)

Starting with Mudlet 4.20, your saved passwords are stored securely using encryption. If you later use an older version of Mudlet (like 4.19.1 or earlier), here's what to expect:

• Your saved password may not appear – Older versions cannot read the new encrypted passwords, so the password field might be empty or show an outdated password.
• Simply re-enter your password – Just type your password again and continue playing normally.
• Your 4.20 passwords stay safe – Any password changes you make in an older version won't affect your encrypted passwords in 4.20+.
• No data loss occurs – When you return to Mudlet 4.20 or later, your securely stored passwords will still be there.

This design ensures that using an older Mudlet version temporarily won't corrupt or interfere with your modern encrypted password storage.