[SchurmanCQC]

Quote:

Originally Posted by ****** Firstly, I'm glad that people are starting to take this more seriously and I'm very happy to see this tutorial. Secondly, I'm glad you like the thread design . Unfortunately, thirdly, two minor issues (sorry): 1) You don't save the salt at all. You generate a random string, append it, hash it, and discard it. This is no use at all, the salt needs to be stored with the hash so that the same hash can be generated when the user tries to log back in. 2) You are right, this is a proper cryptographic hash in that it is both secure and slow (an odd combination of requirements, but makes brute-forcing basically impossible). The best I've seen before in SA:MP in terms of repeat hashings is 5 (I'm sorry to say that even y_users only does it twice, and only once till barely a month ago). Unfortunately, "slow" is a terrible feature for code in a real-time server like SA:MP as you hold up the whole main data processing loop while doing this one task (and I dread to think how long 65536 hashes take - do you have any numbers). For a while now I have debated a threaded plugin for doing this sort of cryptographicly secure hashing separately to the main loop, with a callback when it is done. Players will not notice that the "logged in" message took 800 ms to appear instead of 300, but they WILL notice the improvement in sync from not having the server hang while doing it.

1) You're right, but I chose not to include the salt saving. I will change it accordingly.

2) This may be how it is for SA-MP, but I do the hash 65536 times in PHP and it works absolutely fine. It does make sense though, as calling a function that belongs to a plugin that many times in a row could cause the server to hang.

I'll be changing this later on.