07.09.2015, 20:57
For those, who are going to create another RolePlay server or something else.
Warning
Never keep raw password or hash, generated just from password by ANY known hash algorythm.
Why?
Soon or later, your database or files may be stolen (especially if you don't have experience in information protection or if you never thought about your server security). Yes, even my database may be stolen (As result of security leak in web-server? Who knows).
Even if you think that your database is well protected, I'll say "no, it's not". More about that you can find in ******, it's a wide topic and it's not a part of this "tutorial".
If someone can access your database with raw player passwords, he will also get paswords for that players on another servers, mail boxes etc (players usualy use the same password in many places). If passwords are encrypted with md5, sha1 or any other popular algorythm (md5(password)), it's not much better than raw passwords.
OK, but passwords are hashed, how can breaker get them from hashes?
For weak passwords (major part of your players use weak passwords) it's quite simple - he can use online decrypt services (works if this hash is already in service's database) or simply use bruteforce (some tools can hash up to 100,000 passwords every second and compare them with stolen hash - much faster than usual client-to-server bruteforce).
Also, sometimes hashes are saved into cookies on sites to log in users every time they return to this site. In case we know nickname and hash, we can simply put them into cookies and get access to victim's control panel / site account.
So what can we do?
The easiest way is to add a "salt" to password and then encrypt it (md5/sha1/other algorythm). Or encrypt encrypted password, adding salt. Or encrypt password many times with many algos and make it "very salty".
What is salt? Salt is a random value, mixed with password to make it harder to decrypt hash. Salt is generated randomly for each player on registration or when player changes password.
Simpliest example which not affects performance (almost):
Player "Anonimous" has password "12345678". We use md5(1234567
and get hash "25d55ad283aa400af464c76d713c07ad", which looks secure (there are many random symbols and we don't see any password here, so we think that this password is protected). If someone gets this hash, he can simply go to online decrypt service and get a password from this hash (for this moment 'hashkiller.co.uk' has 43.745 billion hashes which he can easily decrypt in a moment). As you know, many people use simple passwords, and you can be sure - hashkiller knows them all.
Now let's mix our password with salt. When player is registered, he gets a new 'salt'. Easiest way to generate a new salt is to use random() or any another random value (you can also use a hash of current GetTickCount() and then cut a part of it).
Now, when Anonimous is registered, we generate salt for him (for example, f09a449c). His hash is generated from password and salt: md5(password + salt): md5(12345678f09a449c), which is "76ff0581f57342f15352965561a1689a" and which is not found in 'hashkiller' database. Then we just add another field in database near hash and put a salt in it, and when player makes an attempt to connect to server we just compare his hash with his md5(password + salt(loaded from database)).
But some bruteforce soft still can easily decrypt this hash if it's possible to change it's hashing algorythm. It's not much harder to set a salt in bruteforce and get a password, it also may take just few seconds more to decrypt this easy thing (but only if you know how to do that).
The better (maybe best) way is to use your own hashing algorythm and salt - more complex it is, more protected your passwords.
Example:
We generate salt (f09a449c) and use next algorythm: md5(md5(password) . md5(salt)). As a result, we have a brand new hash that can't be found in any database (probably) and is quite expensive for bruteforce. "Hacker" don't know how your hash is generated (maybe you use salt before password or use two md5's for password?) and can waste much time to decrypt this hash (he must guess your algorythm). As you can see, the harder your algorythm is, the harder it is to decrypt your hash. You can also use your own hashing algorythm based on bitwise operations in addition to usual hashing functions - in this case your hashes may be totaly unbreakable.
But my database can't be stolen! It can't happen to me!
I don't think so.
I knew everything about that, it's boring for me to read your tutorial
It's great, because there are many people who doesn't know about that or think that their database can't be stolen, no way, man.
A few days ago someone has stolen database from another RolePlay server (it had more than 200 players online at one moment). It caused problems to many other servers (so as mine), because passwords in their database had too weak protection (if they were protected...) and that passwords were used with same nicknames on another servers, causing big problems. It made me quite angry - people start their commercial projects, but they even don't think about security.
I think it's better to bring down their crooked servers till the moment their owners learn anything about security and responsibility.
Remember that security must be everywhere, even in the rear.
(Topic may contain mistakes as I don't speak english, please PM me if you spot one)
Warning
Never keep raw password or hash, generated just from password by ANY known hash algorythm.
Why?
Soon or later, your database or files may be stolen (especially if you don't have experience in information protection or if you never thought about your server security). Yes, even my database may be stolen (As result of security leak in web-server? Who knows).
Even if you think that your database is well protected, I'll say "no, it's not". More about that you can find in ******, it's a wide topic and it's not a part of this "tutorial".
If someone can access your database with raw player passwords, he will also get paswords for that players on another servers, mail boxes etc (players usualy use the same password in many places). If passwords are encrypted with md5, sha1 or any other popular algorythm (md5(password)), it's not much better than raw passwords.
OK, but passwords are hashed, how can breaker get them from hashes?
For weak passwords (major part of your players use weak passwords) it's quite simple - he can use online decrypt services (works if this hash is already in service's database) or simply use bruteforce (some tools can hash up to 100,000 passwords every second and compare them with stolen hash - much faster than usual client-to-server bruteforce).
Also, sometimes hashes are saved into cookies on sites to log in users every time they return to this site. In case we know nickname and hash, we can simply put them into cookies and get access to victim's control panel / site account.
So what can we do?
The easiest way is to add a "salt" to password and then encrypt it (md5/sha1/other algorythm). Or encrypt encrypted password, adding salt. Or encrypt password many times with many algos and make it "very salty".
What is salt? Salt is a random value, mixed with password to make it harder to decrypt hash. Salt is generated randomly for each player on registration or when player changes password.
Simpliest example which not affects performance (almost):
Player "Anonimous" has password "12345678". We use md5(1234567
and get hash "25d55ad283aa400af464c76d713c07ad", which looks secure (there are many random symbols and we don't see any password here, so we think that this password is protected). If someone gets this hash, he can simply go to online decrypt service and get a password from this hash (for this moment 'hashkiller.co.uk' has 43.745 billion hashes which he can easily decrypt in a moment). As you know, many people use simple passwords, and you can be sure - hashkiller knows them all.Now let's mix our password with salt. When player is registered, he gets a new 'salt'. Easiest way to generate a new salt is to use random() or any another random value (you can also use a hash of current GetTickCount() and then cut a part of it).
Now, when Anonimous is registered, we generate salt for him (for example, f09a449c). His hash is generated from password and salt: md5(password + salt): md5(12345678f09a449c), which is "76ff0581f57342f15352965561a1689a" and which is not found in 'hashkiller' database. Then we just add another field in database near hash and put a salt in it, and when player makes an attempt to connect to server we just compare his hash with his md5(password + salt(loaded from database)).
But some bruteforce soft still can easily decrypt this hash if it's possible to change it's hashing algorythm. It's not much harder to set a salt in bruteforce and get a password, it also may take just few seconds more to decrypt this easy thing (but only if you know how to do that).
The better (maybe best) way is to use your own hashing algorythm and salt - more complex it is, more protected your passwords.
Example:
We generate salt (f09a449c) and use next algorythm: md5(md5(password) . md5(salt)). As a result, we have a brand new hash that can't be found in any database (probably) and is quite expensive for bruteforce. "Hacker" don't know how your hash is generated (maybe you use salt before password or use two md5's for password?) and can waste much time to decrypt this hash (he must guess your algorythm). As you can see, the harder your algorythm is, the harder it is to decrypt your hash. You can also use your own hashing algorythm based on bitwise operations in addition to usual hashing functions - in this case your hashes may be totaly unbreakable.
But my database can't be stolen! It can't happen to me!
I don't think so.
I knew everything about that, it's boring for me to read your tutorial
It's great, because there are many people who doesn't know about that or think that their database can't be stolen, no way, man.
A few days ago someone has stolen database from another RolePlay server (it had more than 200 players online at one moment). It caused problems to many other servers (so as mine), because passwords in their database had too weak protection (if they were protected...) and that passwords were used with same nicknames on another servers, causing big problems. It made me quite angry - people start their commercial projects, but they even don't think about security.
I think it's better to bring down their crooked servers till the moment their owners learn anything about security and responsibility.
Remember that security must be everywhere, even in the rear.
(Topic may contain mistakes as I don't speak english, please PM me if you spot one)
