SA-MP Forums

Go Back   SA-MP Forums > SA-MP Scripting and Plugins > Scripting Help > Tutorials

Reply
 
Thread Tools Display Modes
Old 16/07/2015, 04:48 AM   #21
rymax99
Gangsta
 
Join Date: Jul 2012
Location: Florida, United States
Posts: 733
Reputation: 124
Default Re: Using new SHA-256 function

Quote:
Originally Posted by RaeF View Post
Why do we must hash a password ? there is any chance someone trying to hack player account??

Edit:

Is it possible to attack password inside .ini .json files?
In the event someone gets their hands on your database, you don't exactly want all of your players plain text passwords readily available to attackers. Hashing doesn't prevent weak passwords from being brute forced, but it's enough to give a fair warning to players to change their password, and implement something script side for damage control.

Another reason for hashing is to protect players from themselves. It's never advised to over utilize passwords, but it's all to common that people will use one password for everything. In the event that again, someone gets their hands on your database, you don't want an attacker to have access to plain text player passwords with the potential to access the email accounts, bank accounts, PayPal accounts, etc. of players. Not only would it be unfortunate for your players, it'd also be severely reputation tarnishing for your community.

How you store passwords is irregardless, weather it be in a database or via a file saving system. You shouldn't store plain-text passwords. It's terrible practice and simply shouldn't be done.
rymax99 is offline   Reply With Quote
Old 16/07/2015, 08:46 AM   #22
dominik523
Gangsta
 
dominik523's Avatar
 
Join Date: Feb 2013
Location: Croatia
Posts: 891
Reputation: 115
Default Re: Using new SHA-256 function

Quote:
Originally Posted by rymax99 View Post
In the event someone gets their hands on your database, you don't exactly want all of your players plain text passwords readily available to attackers. Hashing doesn't prevent weak passwords from being brute forced, but it's enough to give a fair warning to players to change their password, and implement something script side for damage control.

Another reason for hashing is to protect players from themselves. It's never advised to over utilize passwords, but it's all to common that people will use one password for everything. In the event that again, someone gets their hands on your database, you don't want an attacker to have access to plain text player passwords with the potential to access the email accounts, bank accounts, PayPal accounts, etc. of players. Not only would it be unfortunate for your players, it'd also be severely reputation tarnishing for your community.

How you store passwords is irregardless, weather it be in a database or via a file saving system. You shouldn't store plain-text passwords. It's terrible practice and simply shouldn't be done.
Very nicely said. Thanks.
Like you said, it's irrelevant how you store passwords. You can take a password from a database or ini file. It will be the same and then you just insert it into some brute force or dictionary attack.
__________________
[Tutorial] Using new SHA-256 function
dominik523 is offline   Reply With Quote
Old 20/07/2015, 09:04 PM   #23
AchievementMaster360
Huge Clucker
 
AchievementMaster360's Avatar
 
Join Date: Apr 2012
Location: New York, United States
Posts: 237
Reputation: 24
Default Re: Using new SHA-256 function

Finally, I've looked for something like this for a while now. Thanks.
AchievementMaster360 is offline   Reply With Quote
Old 15/01/2016, 10:45 AM   #24
venomlivno8
Big Clucker
 
Join Date: Jan 2013
Posts: 98
Reputation: 5
Default Re: Using new SHA-256 function

Thanks, repup!
venomlivno8 is offline   Reply With Quote
Old 15/01/2016, 06:50 PM   #25
Vince
Spam Machine
 
Vince's Avatar
 
Join Date: Sep 2007
Location: Belgium
Posts: 10,962
Reputation: 2649
Default Re: Using new SHA-256 function

Slightly older topic, but lately I've seen another method of applying a salt. Instead of generating a random salt, the e-mail address is used as the salt instead. If e-mail addresses are unique in the table - and to be honest, why wouldn't they be - then you've got yourself a perfect salt. That also means that a user must enter his password if he wants to change his e-mail address because the hash needs to be recalculated with the new salt. Although that's not necessarily a bad thing.
__________________
Vince is offline   Reply With Quote
Old 18/08/2016, 09:49 PM   #26
PrO.GameR
Gangsta
 
PrO.GameR's Avatar
 
Join Date: Oct 2012
Posts: 731
Reputation: 121
Default Re: Using new SHA-256 function

Woops, wrong topic!
Although this is a useful bump I guess.
__________________
Blueberry Prison Roleplay will be back soon!
Follow the forums for more information about opening day.

Forums
PrO.GameR is offline   Reply With Quote
Old 18/08/2016, 10:36 PM   #27
SKAzini
Huge Clucker
 
SKAzini's Avatar
 
Join Date: Jun 2012
Posts: 381
Reputation: 17
Default Re: Using new SHA-256 function

Good point on the fact that you should salt your passwords, to prevent someone from using a rainbow table to crack most passwords in your database at once.

The bad thing about using SHA-256 though is that it can be run 1400 million times per second on a consumer-grade GPU, cracking a 6 character long password (containing a-z, A-Z, 0-9 and a LOT of different symbols) in under 8 minutes. If one of your admins are dumb as fuck and have some scuffed password, it'll get bruteforced, and you're going to (probably) have a bad time, unless the breach is detected. I'd better be safe than sorry.

Please check out bcrypt, which even comes with a built-in salting function. Implementation for SA-MP here.
SKAzini is offline   Reply With Quote
Old 19/02/2017, 12:12 PM   #28
BugsBunny
Little Clucker
 
Join Date: Mar 2014
Posts: 13
Reputation: 0
Default Re: Using new SHA-256 function

pawn Code:
forward LoadUser_data(playerid, name[], value[]);
public LoadUser_data(playerid, name[], value[])
{
    INI_String("Name", pInfo[playerid][pName]);
    INI_String("Password", pInfo[playerid][pPass]);
    INI_String("Salt", pInfo[playerid][pSalt]);
    INI_Int("Money", pInfo[playerid][pMoney]);
    INI_Int("Score", pInfo[playerid][pScore]);
    INI_Int("Kills", pInfo[playerid][pKills]);
    INI_Int("Deaths", pInfo[playerid][pDeaths]);
    INI_Int("Admin", pInfo[playerid][pAdmin]);
    return 1;
}

stock UserPath(playerid)
{
    new string[128],playername[MAX_PLAYER_NAME];
    GetPlayerName(playerid,playername,sizeof(playername));
    format(string,sizeof(string),USER_PATH,playername);
    return string;
}

public OnPlayerConnect(playerid)
{
    if(fexist(UserPath(playerid)))
    {
        INI_ParseFile(UserPath(playerid), "LoadUser_%s", .bExtra = true, .extra = playerid);
        ShowPlayerDialog(playerid, DIALOG_LOGIN, DIALOG_STYLE_PASSWORD, "MC:RP - Accesso Utente", "Bentornato!\nQuesto account e' gia' registrato.\nDigita la tua password per accedere.", "Accedi", "Esci");
    }
    else
    {
        ShowPlayerDialog(playerid, DIALOG_REGISTER, DIALOG_STYLE_PASSWORD, "MC:RP - Registrazione Utente", "Benvenuto!\nQuesto account non e' registrato.\nDigita una password per registrarti.", "Registra", "Esci");
    }
    return 1;
}

public OnDialogResponse(playerid, dialogid, response, listitem, inputtext[])
{
    switch(dialogid)
    {
        case DIALOG_REGISTER:
        {
            if(!response) return Kick(playerid);
            if(response)
            {
                if(!strlen(inputtext))
                {
                    SendClientMessage(playerid, COLOR_RED, "[ERRORE]: Devi digitare una password per poterti registrare!");
                    ShowPlayerDialog(playerid, DIALOG_REGISTER, DIALOG_STYLE_PASSWORD, "MC:RP - Registrazione Utente", "Benvenuto!\nQuesto account non e' registrato.\nDigita una password per registrarti.", "Registra", "Esci");
                }
                new salt[11];
                for(new i; i < 10; i++)
                {
                    salt[i] = random(79) + 47;
                }
                salt[10] = 0;
                SHA256_PassHash(inputtext, salt, pInfo[playerid][pPass], 65);

                new INI:File = INI_Open(UserPath(playerid));
                INI_SetTag(File, "Player's Data");
                INI_WriteString(File, "Name", Name);
                INI_WriteString(File, "Password", pInfo[playerid][pPass]);
                INI_WriteString(File, "Salt", salt);
                INI_WriteInt(File, "Money", 0);
                INI_WriteInt(File, "Score", 0);
                INI_WriteInt(File, "Kills", 0);
                INI_WriteInt(File, "Deaths", 0);
                INI_WriteInt(File, "Admin", 0);
                INI_Close(File);
            }
            return 1;
        }

        case DIALOG_LOGIN:
        {
            if(!response) return Kick(playerid);
            if(response)
            {
                new hash[65];
                SHA256_PassHash(inputtext, pInfo[playerid][pSalt], hash, 64);
                if(!strcmp(hash, pInfo[playerid][pPass]))
                {
                    INI_ParseFile(UserPath(playerid), "LoadUser_%s", .bExtra = true, .extra = playerid);
                    GivePlayerMoney(playerid, pInfo[playerid][pMoney]);
                }
                else
                {
                    SendClientMessage(playerid, COLOR_RED, "[ERRORE]: Hai digitato una password errata. Riprova!");
                    ShowPlayerDialog(playerid, DIALOG_LOGIN, DIALOG_STYLE_PASSWORD, "MC:RP - Accesso Utente", "Bentornato!\nQuesto account e' gia' registrato.\nDigita la tua password per accedere.", "Accedi", "Esci");
                }
                return 1;
            }
        }
    }
    return 1;
}

Why I can't login? What's wrong? It saves everything but I can't access.
Sorry for opening older topics...
BugsBunny is offline   Reply With Quote
Old 28/02/2017, 01:39 PM   #29
Juance
Gangsta
 
Join Date: Jun 2014
Posts: 556
Reputation: 31
Default Respuesta: Using new SHA-256 function

Is this method better than whirlpool?
Juance is offline   Reply With Quote
Old 21/04/2018, 01:19 PM   #30
Phreak
Little Clucker
 
Join Date: Apr 2018
Location: Skyrim
Posts: 23
Reputation: 0
Default Re: Using new SHA-256 function

But of someone gets the database wouldn't that mean they also get the salts which would make random salts useless?

Edit: At least in this case, where you store the salt in the same database.
Phreak is offline   Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Error 055: start of function body without function header Magnezia Scripting Help 3 19/05/2015 06:11 AM
[Ajuda] error 055: start of function body without function header AndersonAq PortuguÍs/Portuguese 3 14/03/2014 01:31 AM
Returning inside a switch case, does it go back to the scope of the function, or does it return for the function? Hoborific Scripting Help 4 26/06/2013 01:47 PM


All times are GMT. The time now is 05:57 PM.


Powered by vBulletin® Version 3.8.6
Copyright ©2000 - 2018, Jelsoft Enterprises Ltd.