[Pizzy]

Misspelt title - sorry

Well, I have never really understood what they do, all I know is that they change passwords into a bunch of numbers and random letters.

--

What is the main advantage of this?

• Is it to protect passwords from being compromised via the database / where they are stored?
• Is it illegal to NOT hash/protect passwords in anyway?

Personally, I have never hashed any passwords, and don't really plan on doing until I figure out what they are for ..

Here are another few questions:

Is hashing passwords only to protect them from e.g the host? (Is it so people who have access or hack into the SQL database cannot find out player's passwords? Or is there more to it?)

Mainly, I don't intend on hashing/protecting passwords due to:

• I get a trusted, well-known host or host it on a VPS/Dedicated server
• My main passwords are not easy to guess...
• I don't share passwords or allow anyone else to the database but myself..
• It's easier to implement it into php and other features (Such as logging in from a .net program, logging in via php script, reset password, etc)

That's all I really have.. I'd like someone to "convince" me that protecting passwords is a good idea, but right now I don't think of it apart from a troublemaker. Such as needing plugins and extra scripts (no thanks!)

[Vince]

It is a common practice to hash all user passwords. It is not a matter of trust. You should not be looking into your users' passwords, it's none of your business. This is private and sensitive information.

Also if your database gets compromised, all passwords are immediately visible. I would not register anywhere if I knew that my password would be stored in plain text. Implementing hashing is easy enough as MySQL supports md5, sha1 and sha2 (the latter as of version 5.5) by default. Comparison should be done by querying into the database, not by fetching the password from the database.

[Pizzy]

Quote:

Originally Posted by Vince It is a common practice to hash all user passwords. It is not a matter of trust. You should not be looking into your users' passwords, it's none of your business. This is private and sensitive information. Also if your database gets compromised, all passwords are immediately visible. I would not register anywhere if I knew that my password would be stored in plain text. Implementing hashing is easy enough as MySQL supports md5, sha1 and sha2 (the latter as of version 5.5) by default. Comparison should be done by querying into the database, not by fetching the password from the database.

Fair enough, although I don't really care if people can look at my password, depending on what servers I play, they are mostly all different.

Is not hashing password illegal though? Or is it perfectly legal to keep passwords in plain text?

[Vince]

No, it's not illegal. But like I said: very bad practice.
http://security.blogoverflow.com/201...uld-be-hashed/

[Mauzen]

Unhashed passwords are the common errors that cause the BIG scandals, like the playstation network password leak.
For me its just irresponsible to store the plain passwords.

[Joe Staff]

Yeah, you're not exactly losing time, money, and effort when you just hash it. "better safe than sorry" is a phrase that comes to mind. Might as well do it to at least re assure the player.

[playbox12]

If you find it to much effort to hash the passwords you shouldn't be making live systems, that's my view on it. I share the view of many which is it being irresponsible not to hash passwords you're actually violating the trust your clients put in to you, keeping their personal data safe.

[Pizzy]

Right ok, thanks for all of your opinions.

Here is another question:

---

Are you able to "dehash" the codes? Can you check what the actual plaintext is though? From in-game via a PAWN script?

With plaintext passwords, it's easy to spot ban evaders, and is actually used in one of my scripts. (It compares IP's and passwords to spot any ban evaders).

[iTorran]

If you could easily dehash them, whats the point in hashing them?
Just check for the same hash, which means the same password.

[Pinguinn]

Quote:

Originally Posted by iTorran If you could easily dehash them, whats the point in hashing them? Just check for the same hash, which means the same password.

Thats why people are moving to other hashes, such as whirlpool. Hashes such as whirlpool does not have a lot of decrypted passwords, which means they are more safe than hashes as md5 / sha1 etc..