SA-MP Forums

Go Back   SA-MP Forums > SA-MP Scripting and Plugins > Scripting Help > Tutorials

Reply
 
Thread Tools Display Modes
Old 26/02/2013, 08:07 AM   #21
playbox12
High-roller
 
playbox12's Avatar
 
Join Date: Feb 2010
Location: Netherlands
Posts: 1,667
Reputation: 216
Default Re: Properly Securing Passwords

Good tutorial. I had a few thoughts though.

As for the server hanging with a 60k hash loop, I have to agree that despite it being secure, it currently is not viable in samp (as it would cause major lagg, especially with a lot of players and or on a shared server), but that doens't mean we should discard it. We could always enhance the algorithm that salts the pass to begin with. Right now we add the salt to the end of the password, why actually? Why don't we add it in, say, the middle of the password? This way the attacker would first have to guess, even with the salt where it is placed in the password. Of course then we could also hash it a few thousand times to be on the safe side. There is almost no way for the attacker to know how much times the password is calculated, IMHO, getting some random value like 1358 would be safer as he would have to do it exactly 1358.

I also had another thought. Why don't we use some random variable like the players name for the salt. And make a function to calculate the salt using that (maybe a hash of some sort), we don't store the salt anywhere and we do not know the salt, this way if the attacker cracks the database he doesn't have access to the salt. Now I think of that a bit more, the latter might be a bit unsafe.

I'm not going to claim to know much on this subject, I never had classes in it and I'm merely expressing a few thoughts I had, if anyone who is more knowing on this subject could dismiss it (if it proves to be unsafe) I'd be glad to know.
playbox12 is offline   Reply With Quote
Old 08/07/2013, 03:27 PM   #22
SchurmanCQC
High-roller
 
SchurmanCQC's Avatar
 
Join Date: Oct 2010
Location: Ontario, Canada
Posts: 1,886
Reputation: 249
Default Re: Properly Securing Passwords

Bumping, thread updated.
__________________
I'm probably stoned.
SchurmanCQC is offline   Reply With Quote
Old 08/07/2013, 09:21 PM   #23
iTheScripter
Banned
 
Join Date: Jul 2013
Posts: 42
Reputation: 5
Default Re: Properly Securing Passwords

nic tutorial.....really helped
+rep
iTheScripter is offline   Reply With Quote
Old 09/07/2013, 12:54 PM   #24
Mindcode
Little Clucker
 
Join Date: Mar 2013
Posts: 8
Reputation: 0
Default Re: Properly Securing Passwords

Nice, but it's possible to unhash password ? or it's totaly safe??
Mindcode is offline   Reply With Quote
Old 17/07/2018, 02:54 PM   #25
BabyBauer
Little Clucker
 
Join Date: Mar 2017
Posts: 30
Reputation: 0
Default Re: Properly Securing Passwords

Quote:
Originally Posted by Mindcode View Post
Nice, but it's possible to unhash password ? or it's totaly safe??
Unhashing a hash is possible. However unhashing a password could take anywhere from days to the end of the universe (No I'm not kidding) depending on how good the users password is. With a hash salt it's near impossible to crack.
BabyBauer is offline   Reply With Quote
Old 17/07/2018, 05:43 PM   #26
IdonTmiss
Big Clucker
 
Join Date: Dec 2016
Posts: 111
Reputation: 0
Default Re: Properly Securing Passwords

Quote:
Originally Posted by BabyBauer View Post
Unhashing a hash is possible. However unhashing a password could take anywhere from days to the end of the universe (No I'm not kidding) depending on how good the users password is. With a hash salt it's near impossible to crack.
U just bumped a 5 year old thread...
IdonTmiss is offline   Reply With Quote
Old 17/07/2018, 05:54 PM   #27
Calisthenics
Huge Clucker
 
Join Date: May 2018
Posts: 334
Reputation: 49
Default Re: Properly Securing Passwords

Quote:
Originally Posted by BabyBauer View Post
Unhashing a hash is possible. However unhashing a password could take anywhere from days to the end of the universe (No I'm not kidding) depending on how good the users password is. With a hash salt it's near impossible to crack.
Hash is a one-way only. It's not encryption and decryption with a key that allows you to get the original text back. Brute force and lookup tables may crack a password but it's solely not a reverse of the said hash algorithm.
Calisthenics is offline   Reply With Quote
Old 22/07/2018, 10:03 AM   #28
AmigaBlizzard
Huge Clucker
 
Join Date: Jul 2012
Posts: 320
Reputation: 60
Default Re: Properly Securing Passwords

If a hacker does a brute-force attack, it gets done using the normal OnPlayerConnect callback?
He won't be inputting every password combo by hand, but lets the computer enter it, a few thousand times per second.

If that's the case, then your server will get the salt automatically and hash it 65k times.
The hacker only needs to provide the password itself, salt is not required (the server reads it from the database and appends it automatically)
and he only needs to see "Login successfull" to inform him the password is correct.

If hashing it 65k times is just to increase the time needed to enter the server (wasting the hacker's valuable time), why not just have a 1-second timer or so? Less CPU power wasted and no lag.
Enter password, check if it's correct, start a timer and when the time has passed, either log him in (password correct) or disconnect him (password not correct).

I think hashing a hash 65k times doesn't increase security.
Upon hashing a password, you get a fixed outcome.
Scrambling a fixed outcome 65k times doesn't make it more secure, because that outcome is fixed as well.
It only increases the time required to calculate the hash, allowing less attempts per second because of limited computing power.
And it increases lag on your server, even while no hacker is even trying to guess a password.

Why not just implement a maximum number of login tries, after which the server cuts the connection?
Then the hacker only has 3 tries to guess the password. If he fails, the connection is closed.

You could also implement another feature: a delay.

When the wrong password has been inputted 3 times in a row, a value of 60 seconds could be stored in your database.
If they try to connect again within those 60 seconds, cut connection again before even asking for a password.
This blocks every attempt at even guessing a password.
If they connect after those 60 seconds, and enter the wrong password 3 times again, the delay might increase to 120 seconds.

This value would keep increasing until there are no more faulty passwords for 24 hours or so, or until the user enters the server with the proper password.

This is much less CPU intensive and way more secure, because the server cuts connection after a few failed tries and will keep the connection severed.
So the hacker can try whatever he wants, he just can't connect to guess the password.

And to make sure the real owner of the account can still play, you can add a check for his IP and gpci code.
If both are still the same as the last successfull login, log him in automatically or allow him to enter a password even when the delay time has not passed (when the hacker still gets connection closed after connecting).
AmigaBlizzard is offline   Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
[Tutorial] How to salt passwords Giovanni Tutorials 20 16/04/2014 04:01 PM
Users Passwords Yordan_Kronos Scripting Help 2 22/11/2012 06:42 PM
Securing the Password CROSS_Hunter Scripting Help 2 01/09/2012 10:31 AM
hashing passwords thefatshizms Scripting Help 34 28/08/2012 01:33 PM


All times are GMT. The time now is 11:58 AM.


Powered by vBulletin® Version 3.8.6
Copyright ©2000 - 2018, Jelsoft Enterprises Ltd.