[rymax99]

Quote:

Originally Posted by RaeF Why do we must hash a password ? there is any chance someone trying to hack player account?? Edit: Is it possible to attack password inside .ini .json files?

In the event someone gets their hands on your database, you don't exactly want all of your players plain text passwords readily available to attackers. Hashing doesn't prevent weak passwords from being brute forced, but it's enough to give a fair warning to players to change their password, and implement something script side for damage control.

Another reason for hashing is to protect players from themselves. It's never advised to over utilize passwords, but it's all to common that people will use one password for everything. In the event that again, someone gets their hands on your database, you don't want an attacker to have access to plain text player passwords with the potential to access the email accounts, bank accounts, PayPal accounts, etc. of players. Not only would it be unfortunate for your players, it'd also be severely reputation tarnishing for your community.

How you store passwords is irregardless, weather it be in a database or via a file saving system. You shouldn't store plain-text passwords. It's terrible practice and simply shouldn't be done.

[dominik523]

Quote:

Originally Posted by rymax99 In the event someone gets their hands on your database, you don't exactly want all of your players plain text passwords readily available to attackers. Hashing doesn't prevent weak passwords from being brute forced, but it's enough to give a fair warning to players to change their password, and implement something script side for damage control. Another reason for hashing is to protect players from themselves. It's never advised to over utilize passwords, but it's all to common that people will use one password for everything. In the event that again, someone gets their hands on your database, you don't want an attacker to have access to plain text player passwords with the potential to access the email accounts, bank accounts, PayPal accounts, etc. of players. Not only would it be unfortunate for your players, it'd also be severely reputation tarnishing for your community. How you store passwords is irregardless, weather it be in a database or via a file saving system. You shouldn't store plain-text passwords. It's terrible practice and simply shouldn't be done.

Very nicely said. Thanks.
Like you said, it's irrelevant how you store passwords. You can take a password from a database or ini file. It will be the same and then you just insert it into some brute force or dictionary attack.

[AchievementMaster360]

Finally, I've looked for something like this for a while now. Thanks.

[venomlivno8]

Thanks, repup!

[Vince]

Slightly older topic, but lately I've seen another method of applying a salt. Instead of generating a random salt, the e-mail address is used as the salt instead. If e-mail addresses are unique in the table - and to be honest, why wouldn't they be - then you've got yourself a perfect salt. That also means that a user must enter his password if he wants to change his e-mail address because the hash needs to be recalculated with the new salt. Although that's not necessarily a bad thing.

[PrO.GameR]

Woops, wrong topic!
Although this is a useful bump I guess.

[SKAzini]

Good point on the fact that you should salt your passwords, to prevent someone from using a rainbow table to crack most passwords in your database at once.

The bad thing about using SHA-256 though is that it can be run 1400 million times per second on a consumer-grade GPU, cracking a 6 character long password (containing a-z, A-Z, 0-9 and a LOT of different symbols) in under 8 minutes. If one of your admins are dumb as fuck and have some scuffed password, it'll get bruteforced, and you're going to (probably) have a bad time, unless the breach is detected. I'd better be safe than sorry.

Please check out bcrypt, which even comes with a built-in salting function. Implementation for SA-MP here.

[BugsBunny]

pawn Code:

forward LoadUser_data(playerid, name[], value[]);
public LoadUser_data(playerid, name[], value[])
{
    INI_String("Name", pInfo[playerid][pName]);
    INI_String("Password", pInfo[playerid][pPass]);
    INI_String("Salt", pInfo[playerid][pSalt]);
    INI_Int("Money", pInfo[playerid][pMoney]);
    INI_Int("Score", pInfo[playerid][pScore]);
    INI_Int("Kills", pInfo[playerid][pKills]);
    INI_Int("Deaths", pInfo[playerid][pDeaths]);
    INI_Int("Admin", pInfo[playerid][pAdmin]);
    return 1;
}

stock UserPath(playerid)
{
    new string[128],playername[MAX_PLAYER_NAME];
    GetPlayerName(playerid,playername,sizeof(playername));
    format(string,sizeof(string),USER_PATH,playername);
    return string;
}

public OnPlayerConnect(playerid)
{
    if(fexist(UserPath(playerid)))
    {
        INI_ParseFile(UserPath(playerid), "LoadUser_%s", .bExtra = true, .extra = playerid);
        ShowPlayerDialog(playerid, DIALOG_LOGIN, DIALOG_STYLE_PASSWORD, "MC:RP - Accesso Utente", "Bentornato!\nQuesto account e' gia' registrato.\nDigita la tua password per accedere.", "Accedi", "Esci");
    }
    else
    {
        ShowPlayerDialog(playerid, DIALOG_REGISTER, DIALOG_STYLE_PASSWORD, "MC:RP - Registrazione Utente", "Benvenuto!\nQuesto account non e' registrato.\nDigita una password per registrarti.", "Registra", "Esci");
    }
    return 1;
}

public OnDialogResponse(playerid, dialogid, response, listitem, inputtext[])
{
    switch(dialogid)
    {
        case DIALOG_REGISTER:
        {
            if(!response) return Kick(playerid);
            if(response)
            {
                if(!strlen(inputtext))
                {
                    SendClientMessage(playerid, COLOR_RED, "[ERRORE]: Devi digitare una password per poterti registrare!");
                    ShowPlayerDialog(playerid, DIALOG_REGISTER, DIALOG_STYLE_PASSWORD, "MC:RP - Registrazione Utente", "Benvenuto!\nQuesto account non e' registrato.\nDigita una password per registrarti.", "Registra", "Esci");
                }
                new salt[11];
                for(new i; i < 10; i++)
                {
                    salt[i] = random(79) + 47;
                }
                salt[10] = 0;
                SHA256_PassHash(inputtext, salt, pInfo[playerid][pPass], 65);

                new INI:File = INI_Open(UserPath(playerid));
                INI_SetTag(File, "Player's Data");
                INI_WriteString(File, "Name", Name);
                INI_WriteString(File, "Password", pInfo[playerid][pPass]);
                INI_WriteString(File, "Salt", salt);
                INI_WriteInt(File, "Money", 0);
                INI_WriteInt(File, "Score", 0);
                INI_WriteInt(File, "Kills", 0);
                INI_WriteInt(File, "Deaths", 0);
                INI_WriteInt(File, "Admin", 0);
                INI_Close(File);
            }
            return 1;
        }

        case DIALOG_LOGIN:
        {
            if(!response) return Kick(playerid);
            if(response)
            {
                new hash[65];
                SHA256_PassHash(inputtext, pInfo[playerid][pSalt], hash, 64);
                if(!strcmp(hash, pInfo[playerid][pPass]))
                {
                    INI_ParseFile(UserPath(playerid), "LoadUser_%s", .bExtra = true, .extra = playerid);
                    GivePlayerMoney(playerid, pInfo[playerid][pMoney]);
                }
                else
                {
                    SendClientMessage(playerid, COLOR_RED, "[ERRORE]: Hai digitato una password errata. Riprova!");
                    ShowPlayerDialog(playerid, DIALOG_LOGIN, DIALOG_STYLE_PASSWORD, "MC:RP - Accesso Utente", "Bentornato!\nQuesto account e' gia' registrato.\nDigita la tua password per accedere.", "Accedi", "Esci");
                }
                return 1;
            }
        }
    }
    return 1;
}

Why I can't login? What's wrong? It saves everything but I can't access.
Sorry for opening older topics...

[Juance]

Is this method better than whirlpool?

[Phreak]

But of someone gets the database wouldn't that mean they also get the salts which would make random salts useless?

Edit: At least in this case, where you store the salt in the same database.

[ranme15]

Quote:

Originally Posted by Phreak But of someone gets the database wouldn't that mean they also get the salts which would make random salts useless? Edit: At least in this case, where you store the salt in the same database.

No. Unless you are guessing the player's pass

[JesterlJoker]

Quote:

Originally Posted by Phreak But of someone gets the database wouldn't that mean they also get the salts which would make random salts useless? Edit: At least in this case, where you store the salt in the same database.

You have a salt and the hashed password. You will still need to brutally attack the password to crack it open. You'll still need to have the persons password which is a million possibility.

[AmigaBlizzard]

If they have access to your database or user files, in which the hashed password and salt is located, why do they need the password for then?
In that same database, it holds your money, score, kills, ...
They could easily delete all player's money, score, ...
Or they could set their money value to 2 billion.
Or set their admin-level to maximum to have admin privileges upon logging in with their own account.
Or wipe your entire database.
Hashing passwords doesn't make it safe if they have access to your entire database.

Why would they run a script for days/weeks/months to crack a password when all other data is exposed at the same time?

[JesterlJoker]

That's the thing you must learn how hackers think. It's not that they want to do something harmful, its the thrill of the challenge that they'd want to feel...

Those people who would just change stats are not hackers at all, they are just cheaters, but hackers, oh I know how it feels...

To be honest the first thing you should secure the webserver though. No matter how hard shell is your functionality when your database is easy to pick on. Now a days dedicated web servers have a high rate defense than their added functionalities such as PHP and MySQL, which is why hackers would mostly hack a single account and strike slow from there rather than trying to bypass the system through the web server. Which is nearly impossible.

It is plain and stupid to trust anyone to use your web server even if you consider them friend.

[iKarim]

Quote:

Originally Posted by AmigaBlizzard Why would they run a script for days/weeks/months to crack a password when all other data is exposed at the same time?

Most people use a single password for everything, databases most likely contains users emails and passwords, if you don't hash your passwords, they could easily access the email accounts and start from there.

Saving passwords in plain text or similar methods is ABSOLUTELY terrible, thus you hash your users passwords. In the case of a breach, the harm won't be as much.

[AmirSavand]

What about using the MySQL function PASSWORD()? or SHA('password', 256) if I'm not mistaken?