26.02.2013, 08:07
Good tutorial. I had a few thoughts though.
As for the server hanging with a 60k hash loop, I have to agree that despite it being secure, it currently is not viable in samp (as it would cause major lagg, especially with a lot of players and or on a shared server), but that doens't mean we should discard it. We could always enhance the algorithm that salts the pass to begin with. Right now we add the salt to the end of the password, why actually? Why don't we add it in, say, the middle of the password? This way the attacker would first have to guess, even with the salt where it is placed in the password. Of course then we could also hash it a few thousand times to be on the safe side. There is almost no way for the attacker to know how much times the password is calculated, IMHO, getting some random value like 1358 would be safer as he would have to do it exactly 1358.
I also had another thought. Why don't we use some random variable like the players name for the salt. And make a function to calculate the salt using that (maybe a hash of some sort), we don't store the salt anywhere and we do not know the salt, this way if the attacker cracks the database he doesn't have access to the salt. Now I think of that a bit more, the latter might be a bit unsafe.
I'm not going to claim to know much on this subject, I never had classes in it and I'm merely expressing a few thoughts I had, if anyone who is more knowing on this subject could dismiss it (if it proves to be unsafe) I'd be glad to know.
As for the server hanging with a 60k hash loop, I have to agree that despite it being secure, it currently is not viable in samp (as it would cause major lagg, especially with a lot of players and or on a shared server), but that doens't mean we should discard it. We could always enhance the algorithm that salts the pass to begin with. Right now we add the salt to the end of the password, why actually? Why don't we add it in, say, the middle of the password? This way the attacker would first have to guess, even with the salt where it is placed in the password. Of course then we could also hash it a few thousand times to be on the safe side. There is almost no way for the attacker to know how much times the password is calculated, IMHO, getting some random value like 1358 would be safer as he would have to do it exactly 1358.
I also had another thought. Why don't we use some random variable like the players name for the salt. And make a function to calculate the salt using that (maybe a hash of some sort), we don't store the salt anywhere and we do not know the salt, this way if the attacker cracks the database he doesn't have access to the salt. Now I think of that a bit more, the latter might be a bit unsafe.
I'm not going to claim to know much on this subject, I never had classes in it and I'm merely expressing a few thoughts I had, if anyone who is more knowing on this subject could dismiss it (if it proves to be unsafe) I'd be glad to know.