I saw tupac post a thread about this but looks like its gone now.
Here's what I was going to add
From this May 2002 interview with a BNETD developer, he described encryption as the most difficult task in making BNETD, he also admits the encryption is weak (by 2002's standards!)
I dont totally understand what he's saying, but I think he means the War2 Client itself is doing the hashing. If so we wouldnt be able to change it ever...
I'll have to look into it more. If the passwords could be made more secure, that would be good tho .. not a huge priority for a little circa 1995 game server, but other PvPGN servers could benefit from better password security, particularly servers with games like WC3 that require an email address at registration. With databases of emails and passwords leaking, can cause real problems for other PvPGN servers
"Probably the most daunting task was figuring out any part of the protocol that involved encryption. Thankfully, the server works without supporting any of those packet types. But that meant going without passwords on the player accounts. Not having passwords was OK for LAN parties and systems behind firewalls, but some people wanted to allow logins from the Internet. Once we implemented account profiles, it became even more important so that players couldn't destroy each other's ratings.
Thankfully, the hash size was the same as SHA1 and [we were] sent an example hashing function. The hashed password was sent in the plain to the server where it was stored for later logins. We figured out that the login hash used the session key and a random value (actually a timestamp), plus that hashed password, and then hashed it again.
The server performs the same operation and compares the results. It's not the greatest scheme (knowledge of single-hashed password is the same value as knowing the password), but it was good enough for a game server. There was some further complication because the hash is performed in an endian-dependent way and it doesn't use the standard initialization or padding."