1. SA-MP Forums Archive
  2. SA-MP Scripting and Plugins
  3. Scripting Help

Threaded Mode
Where should I save the salts?
Phreak
Little Clucker
**
Posts: 23
Threads: 2
Joined: Apr 2018
Reputation: 0
#1

23.04.2018, 20:12
I've seen a few tutorials making use of random salts to hash the passwords, but I assume there's no reason to do so if I'm gonna save them next to the passwords anyway.

I'm using mysql, so where should I save the salts?
Is it possible (and viable) to work with two databases at the same time? Should I save them instead in a separate ini file? Give me some suggestions.
Find
Reply
DeepCode
Big Clucker
***
Posts: 55
Threads: 8
Joined: Mar 2014
Reputation: 0
#2

24.04.2018, 06:33
Quote:
Originally Posted by Phreak
Посмотреть сообщение
but I assume there's no reason to do so if I'm gonna save them next to the passwords anyway.
Not quite. If you're using password + salt then that will be kinda hard to decrypt passwords even if they stored in the same db. But if you're still scared about how safe it is then you could use 2 (or more) different connections and store salt and passwords in different databases.
Find
Reply
Sithis
Gangsta
*****
Posts: 889
Threads: 4
Joined: Mar 2013
Reputation: 0
#3

24.04.2018, 07:53
The only reason you would use a salt is to slow down an attacker. If they have access to your database it's a lost cause anyway.

It is perfectly fine to store the unique salt alongside the hash in the same table. Assuming you use a strong cipher algorithm, a UNIQUE PER-PLAYER salt and enough iterations, you have a better security than 80% of the web services in the world.
Find
Reply
Phreak
Little Clucker
**
Posts: 23
Threads: 2
Joined: Apr 2018
Reputation: 0
#4

24.04.2018, 16:04
Ok but let's say someone used an easy password like "123456" which will probably be in every dictionary ever.
Couldn't the attacker just add the salt to the password and hash it then compare the hashes?
In this case a salted hash wouldn't be much more effective than one that is not salted.
Find
Reply
SkmDanny
Little Clucker
**
Posts: 21
Threads: 2
Joined: Nov 2017
Reputation: 0
#5

24.04.2018, 16:11
Quote:
Originally Posted by Phreak
Посмотреть сообщение
Ok but let's say someone used an easy password like "123456" which will probably be in every dictionary ever.
Couldn't the attacker just add the salt to the password and hash it then compare the hashes?
In this case a salted hash wouldn't be much more effective than one that is not salted.
You can use the standard salt for passwords:
PHP код:
new MyHash[65];
SHA256_PassHash("test""78sdjs86d2h"MyHashsizeof MyHash); 
And you can create a variable what is asking a player, when he is wanting to register, to be needed add a uppercase letter, a number or a character ("@#$%&").
You just need to use your imagination.

Example: #LoveMyPass1337
Find
Reply
« Next Oldest | Next Newest »


Forum Jump:


Users browsing this thread: 1 Guest(s)
  1. SA-MP Forums Archive
  2. SA-MP Scripting and Plugins
  3. Scripting Help