[Tutorial] How to salt passwords
#1

Introduction

In this tutorial I want to show you how to salt your passwords. You might think now: What is salting? Well it is actually quite simple. As you know: The hash of a password for a specific word is always the same. I want to give you a little example to explain this a little bit closer. In my case I am using the Whirlpool Plugin which can be downloaded here: https://sampforum.blast.hk/showthread.php?tid=65290

The hash of the word 'World' will always look like this:
Code:
377923742CCF58EB3B1765A9FC72E0D9F7BCC16D9A468FA4C083953506DFE03566D2D9179B86E07412A10B4D53FC7E9D9379B049EF30BB0B9BE1CF5D1BD22537
If somebody attacked your server now this person would be able to use a so called lookup table (or rainbow table). These tables basically contain all words from a dictionary in their hashed form. By using such a table they can crack your passwords quite easily. That's where salting comes in place.

This 'salt' is just a random string. There are however some points which are important for choosing a salt:
  • The longer the salt is, the better
  • Do NOT use the same salt for every password
  • Randomly generated salts would be the best choice

Coming back to the word 'World' from before, combined with a salt, the hashes would look like this:

Code:
Normal hash:
377923742CCF58EB3B1765A9FC72E0D9F7BCC16D9A468FA4C083953506DFE03566D2D9179B86E07412A10B4D53FC7E9D9379B049EF30BB0B9BE1CF5D1BD22537

Salted hash: 
E15DA50879CC1433DB63D7C5BC117A27D6626AD0A8F12687421A2BCEAD06FF860B7D2CDDA31DF44AF66A56CC8BE6B29C4CCBC02814303FAA3662E38D32CA2558

Salt:
bl4aEVF68q91j4LY3kQ6E5r4I8d933zJ071C61Y863Jb6a7c591O453K9Y66kq41
You will notice that the hashes are completely different, eventhough the word which got hashed was the same. Using a normal lookup table will now not help since the salt is totally random. This will force the person who attacks your server to create a new lookup table which requires quite some time.


Using Salted Hashes In Your Account System

It is really important that you store the salt in it's normal form (unhashed) in a player's account since you will need it when the player tries to login.


Registering:

You need to generate a random string for the salt. Then you want to combine the salt with your password (unhashed).

For a random string I used this function:

pawn Code:
// credits go to: RyDeR`
stock randomString(strDest[], strLen = 10)
{
    while(strLen--)
        strDest[strLen] = random(2) ? (random(26) + (random(2) ? 'a' : 'A')) : (random(10) + '0');
}
pawn Code:
new salt[64],string[128]; //declare some variables
randomString(salt,sizeof(salt)); //generate our 'salt'
//combine salt with password
strcat(string,salt); //your salt
strcat(string,"World"); //your password
It would be the best if your salt had the same lenght as the hashed password (output of the hash function), but 64 signs fits quite well I think.

Now we just need to hash the final string:

pawn Code:
WP_Hash(buf, sizeof(buf),string);
You can actually use any hash function for this. I will not closer explain how to use Whirlpool; you can read this up in the topic for it. Now we just have to save the hash + the salt in the player's account, like this:

pawn Code:
dini_Set("account.ini","Password", buf);
dini_Set("account.ini","Salt",salt);
Again it does not matter at all which way to save accounts you use. It is just important that you can always get the salt from the account. Remember: The salt does NOT need to be secret.


Login:

You just have to combine the password (again unhashed) with the salt which is stored in the account. Then hash the final string and compare it with the hashed password which is stored in the player's account (salted).
Reply
#2

you know we just talked about this in a thread not to long ago,
Salting i do think will help make the hash more secure.


great tutorial for everyone that does not know about this!.
Reply
#3

nice tut.
never knew a salt stuff xD
so it is just for making a more secure way to hash?
"yes i guess" cool
Reply
#4

Quote:
Originally Posted by Y_Less
View Post
I have recently been made aware of a much greater problem in password security, previously I would have said that Whirlpool and this were good enough (though I don't actually salt hashes - bad me):

http://krebsonsecurity.com/2012/06/h...word-security/
Interesting article there, Y_Less. However, I'm unsure if password hashing as described there would work in a game like SA-MP. Taking a few 100 ms to login seems like an awful lot. (I don't know if this will be executed in the same single thread, or if it's a stand-alone application though.)
Reply
#5

A suggestion would be to actually store the salt into a file and XOR the file or something along those lines. This way your salt can not be as easily extracted and for those who use a MySQL server, the two data are seperated and one must have access to both, the real server and the mysql server and usually it is harder for one to gain access to the server itself.

Regards.
Reply
#6

Salting is a bit excessive just for SA-MP IMO. Whirlpool is more than enough.
Reply
#7

Quote:
Originally Posted by Calgon
View Post
Salting is a bit excessive just for SA-MP IMO. Whirlpool is more than enough.
I disagree. Especially looking at those servers out there who store the e-mail address of the user. Since most people are unaware of any security related issues that come with installing a mysql database for example it is very simplistic to inject their server and retrieve information such as passwords and emails. One out of a hundred users will likely be using the same password of the e-mail. Now with the e-mail itself I can check if that user has registered any kind of service other then sa-mp with that particular email. Now I might find valueable accounts such as Steam which are not a rare occassion in the scene.

I believe you underestimate the data that sa-mp servers collect.

EDIT:

Keep in mind that socialising is also a part of hacking. It is not too hard to find out one's MSN or such and from there on you can find their password through an injection - log on their MSN - scam someone important on their list - oh dear possibilities are endless I believe.

EDIT2:

tldr: You can never be save enough I believe.
Reply
#8

Quote:
Originally Posted by Extremo
View Post
I disagree. Especially looking at those servers out there who store the e-mail address of the user. Since most people are unaware of any security related issues that come with installing a mysql database for example it is very simplistic to inject their server and retrieve information such as passwords and emails. One out of a hundred users will likely be using the same password of the e-mail. Now with the e-mail itself I can check if that user has registered any kind of service other then sa-mp with that particular email. Now I might find valueable accounts such as Steam which are not a rare occassion in the scene.

I believe you underestimate the data that sa-mp servers collect.

EDIT:

Keep in mind that socialising is also a part of hacking. It is not too hard to find out one's MSN or such and from there on you can find their password through an injection - log on their MSN - scam someone important on their list - oh dear possibilities are endless I believe.

EDIT2:

tldr: You can never be save enough I believe.
Most servers I've played or scripted for only collect passwords and usernames, and IP addresses, the rest is irrelevant SA-MP information. They may collect emails in another database, i.e. forums, but most forums salt passwords too.

Yes, there are MySQL vulnerabilities, but I think you're vastly exaggerating how significant they are and especially injection - there are cases when people forget to protect against it, but I've only seen maybe 1-3 servers that are vulnerable.

Plus, I think you're forgetting how many people who are actually somewhat security-concious and use a unique password for every server/service they use.
Reply
#9

Quote:
Originally Posted by Calgon
View Post
Most servers I've played or scripted for only collect passwords and usernames, and IP addresses, the rest is irrelevant SA-MP information. They may collect emails in another database, i.e. forums, but most forums salt passwords too.

Yes, there are MySQL vulnerabilities, but I think you're vastly exaggerating how significant they are and especially injection - there are cases when people forget to protect against it, but I've only seen maybe 1-3 servers that are vulnerable.

Plus, I think you're forgetting how many people who are actually somewhat security-concious and use a unique password for every server/service they use.
I think you are underestimating how many users actually use the computer daily without understanding anything about the computer at all. We're speaking of a tool here, not everyone is like us and cares about what the tool actually does.

Nevertheless I don't quite believe this is worth argueing about because surely this is such a vast topic we could be discussing it for years.
Reply
#10

Here's a site to tell you roughly how long it would take to crack a given password. (i think w/o hash)

http://howsecureismypassword.net/

Mine would take about 288 duodecillion years to crack.

Should really use mixed case passwords with numbers as well as letters for a stronger password.

IMO, if you use a crappy password (mufc for man united fans) you deserve to have it cracked.
Reply


Forum Jump:


Users browsing this thread: 1 Guest(s)