Jump to content

Leaderboard

Popular Content

Showing content with the highest reputation on 30/05/20 in all areas

  1. setWorldSoundEnabled (20, false, true) -- Vozes de Peds. setWorldSoundEnabled (21, false, true) setWorldSoundEnabled (22, false, true) setWorldSoundEnabled (23, false, true) setWorldSoundEnabled (24, false, true) setWorldSoundEnabled (25, false, true) -- Voz do CJ.
    1 point
  2. السلام عليكم اي احد يدور طريقة كيف يجيب لعبة فالورنت المقطع حقي :
    1 point
  3. 1 point
  4. Introduction This guide intends to teach 3ds Max users how maps are converted and imported/exported through 3D applications, to then be used in professional renders, visualizations, machinma's or to utilise 3ds Max as a precise map editor. The below video demonstrates some of the possibilities that are being taught through this guide. There is a download link in the video description to IPL's that I have decompiled and filtered. Table of contents Prerequisites Access to GTA SA assets (read https://forum.multitheftauto.com/topic/119240-mta-modding-in-3d/ on how to extract, etcetera) Converting/decompiling GTA SA assets for compatibility Caution for performance and processing Importing IPL and IDE to 3D application Model issues and solutions Solution: Alpha is severely broken or has the wrong material applied on faces Solution: Random polygons appear black with flipped normals (.001 weld + reset/adjust smoothing groups) Common uses Converting to FBX Mental Ray adaption Designing and rendering a scene Mapping using Max Prerequisites Must have Autodesk 3ds Max of any desired version. Must have Kam's Maxscripts. Must have The Hero's RW importer. Must have GIMS EVO (Max 2016 or below). The beauty of this tool is it can convert various types of materials containing diffuse texture, into standard or GTA 5 material. It supports Kam's and RW material to be converted to standard. It is recommended to add the tool to a secondary copy of 3ds Max due to the heavy size of it. It is possible to have multiple copes of 3ds Max under 1 Student License. Access to GTA SA assets This guide assumes you have already extracted the entirety of the .img archives found in \models directory of your GTA SA installation. Extracting the interior and cutscene archives is ideal as well. I'm not going to cover the process in this guide, instead please read my MTA Modding in 3D guide. The following files are needed and has a description for where they're stored. - DFF (gta3.img, cutscene.img, gta_int.img @ Grand Theft Auto San Andreas\models) - TXD (gta3.img, cutscene.img, gta_int.img @ Grand Theft Auto San Andreas\models) - IPL (gta3.img, gta_int.img @ Grand Theft Auto San Andreas\models) - IPL [binary] (Grand Theft Auto San Andreas\data\maps) - IDE (Grand Theft Auto San Andreas\data\maps - these are optional as they store 2dfx etc.) - IFP (Grand Theft Auto San Andreas\anim - these .img archives contain IFP archives which stores a good bunch of animations each. It's possible that gta3.img and cutscene.img contains IFP files too.) Converting/decompiling GTA SA assets for compatibility Before certain data can be processed by 3ds Max, it needs to be decompiled and cleaned up. Fortunately there are modding tools available which can partially get it done, leaving only small bits of work to be done by hand. GTA SA has a set of binary and non-binary IPL files. Every IPL found in gta3.img and gta_int.img are binary, meaning they're in a non-readable format and cannot be read by 3ds Max, as opposed to IPL files found in \maps\ which can be read. IPL files found in .img archives do not contain LOD models, whereas ones in \maps\ does. To help identify a LOD, you can look for lines that ends with -1, although not all of these are LOD's. If you want to load in LOD's separate from high detail's, you'll have to filter out LOD's by hand. In order to decompile binary IPL's you need the Binary decompiler tool from gtainside and the IPL name restorer from GTAforums. By simply decompiling the IPL files, they'll rename all of the model names to "unknown" but retain the ID's. The IPL name restorer tool will then restore the ID's by cross searching IDE files. There are cases where the tool fails to perform the rename, this namely happens for models which are animated such as burger shot, mills, signs etcetera. To correct this, simply use Prineside, look up the ID and get the model name associated with the ID. For those who care to keep LOD's separate from high detail's, simply use a coding editor e.g Notepad++ and use the search function and disable "case dependant" and search "lod". You'll want to have 2 versions of every non-binary IPL, one for LODs and one for high details. For high detail IPLs, delete anything with "lod" in their lines, and opposite for LOD IPLs. The first video in the thread contains decompiled IPL's, sorted with LOD's and without LOD's, and has interior world decompiled as well. Several IPL's can be merged together if so desired, although it may be wise to keep them separate to avoid overloading your scene with thousands of objects. Caution for performance and processing For anyone who doesn't have experience with game model conversion and import of game maps, it's crucial to know that a single part of the map, where that part of the map is not even half of a city, can have fatal consequences for your 3D application and cause shutdowns or hour long freezes if not optimised and dealt with. Your computer will not be very welcoming to thousands of objects and especially materials/textures. It can take 1 IPL district for your viewport to reduce to 5 FPS even without materials visible in viewport. Ways to go about this is using instances and xref/proxies. It seems that IPL imports instances, but at times they lose their instance status and become unique from eachother. If this issue is encountered, you'll want one model to be the parent of a lot of other instances. To do this, either check this Autodesk forum post or open Maxscript listener and add the following code. for obj in selection do instancereplace obj $foo Replace "foo" with the name of the model that you want to use as instance parent. For example you have 11 palm trees, 10 of which are named palm_tree and 1 is named palm_tree_parent. Select those 10 and then replace the word "foo" with "palm_tree_parent". Whenever you make geometry changes to "palm_tree_parent" the 10 others will be affected. Instanced models is a good start on scene optimisation, but is far from great. Deleting objects not seen by the camera or shadows, reflections, etc. can do a great deal of change for your viewport and render speed. Do yourself a favor and google scene/render optimization. I learned a lot for my demoreel through the following articles: https://evermotion.org/tutorials/show/10105/optimizing-3d-scenes-for-faster-rendering https://cgtricks.com/save-memory-when-working-with-big-scenes-3dsmax/ That being said, it's important to be aware of how big an impact these 16 year old maps can have on your $2000 workstation. Your computer won't take the maps lightly. If needed, consider splitting map parts into several max project scenes to avoid overload and rendering/work issues. Be extremely cautious with detail of reflection, refraction, shadows, lighting as these REALLY eat up rendering time from a solid 2 minute to 10 minutes+ if done by somebody without sufficient knowledge. Sometimes alpha materials may also slow down the renderer. There are also ways to enhance rendering speed (if using Mental Ray) by choosing IBL (Image based lighting), this can cut down rendering time by 2-6 times rather than using Final gather, however the quality can degrade so it's really a question about whether a shorter render time is desired at the expense of render quality. Importing IPL and IDE to 3D application Certain GTA scripts such as Kam's vanila and Kam's Goldfish editions comes with IPL import functions titled as "Map IO". These functions can handle not only IPL and IDE import with several settings, but also export. Exporting as .IPL can prove useful for mappers who then convert their IPL to MTA map editor format. I have just found that Goldfish's Map IO allows to to import not only standard materials (negating the need to convert gta material to standard scanline) but also allows to import binary IPL by specifying a local .dat file. This guide however focuses on the traditional way of importing and handling maps using vanilla scripts, not Goldfish's, so that those who want to know more in depth about the formats gets the option to do so. Nevertheless, below spoiler contains a quick overview of doing it using Goldfish's latest script. The below image shows how data files can be imported into 3ds Max along with models, by using Kam's orginal script "Map IO". Path to your DFF files. Ideally, you've extracted all of the IMG archive's contents into 1 folder. Version of the game models. Some DFF models are different depending on game to game (III, VC, SA) Select desired image format. Choose the one that your TXD files were extracted as, in my case it's TGA. Import IPL file. Import IDE file. Import ZON file. Import 2dfx data (after IDE is imported). For the vast majority of binary IPL's, only props, buildings and roads are included. The regular IPL's found in GTA SA installation\maps\ usually contain the land masses and such. The binary IPL's contain stream numbers, so they're split into several different IPL's presumably to put less strain on the GTA streamer. These can be merged into one if desired, but not ideal. Model issues and solutions There aren't any perfect GTA scripts and tools available to public to flawlessly import maps. For all of them there are either limitations or incorrections. Same applies to Blender. This guide contains some of the issues and possible solutions, but they're far from perfect. A minor issue which doesn't deserve any header is where IPL doesn't import anything, or an error message appears. This is usually the case when a different GTA script has been opened in the current 3ds Max instance. Simply close 3ds Max and run again. If it still happens, repeat the step but try on a new project scene, then save as new project file and merge into the main project scene. Solution: Alpha is severely broken or has the wrong material applied on faces All editions of Kam's scripts has issues with importing face or material index correctly. What this means for imported models is that they have randomly flipped faces (identified by black faces) or have the wrong material applied on the wrong place, e.g wall bricks on a house roof or tree bark on tree leaves. To fix these issues, use either CJ2000's RW importer or The Hero's RW importer. These two import materials and normals nearly correctly, although by looking at the models in viewport there's still black (flipped) faces. This is not the case when rendering the model, however. It's important to note that RW does not always import the rockstar models perfectly. There are cases where faces must be manually flipped, or enable doublesided for particular models. Disabling backface culling (on render) solves it most of the times. It's possible that neither of the above scripts imports 2dfx data unlike Kam's. In which case, it may be necessary to import map with Kam's, preserve the 2dfx positions and then replace corrupted models with RW imported ones. If several models are corrupted, it may be a good idea to look into using some object replacement scripts or functions if they come with 3ds Max. This can speed up with auto-aligning correct models to the corrupted ones. These articles may help: https://jamiesjewels.typepad.com/jamies_jewels/2011/10/85-3ds-max-quicktip-substituting-objects.html https://knowledge.autodesk.com/support/3ds-max/learn-explore/caas/CloudHelp/cloudhelp/2017/ENU/3DSMax/files/GUID-2CABA3D7-ECFA-4D0D-A8C2-E86600BEFBE4-htm.html Solution: Random polygons appear black with flipped normals (.001 weld + reset/adjust smoothing groups) The "Alpha is severely broken or has the wrong material applied on faces" section explains part of why this occurs. A way to fix the viewport issue is welding all vertices at 0.001 threshold. This removes any overlapping vertex. The model's smoothing groups can then be reset or adjusted, provided the model is imported with 1 total group which makes for a very smooth and unrealistic appearence. To correct the black polygons, use the "Flip normal" function. Simply flip any black polygons which are supposed to be white. This is not relevant to fix if your end goal is to render the map. Simply follow the method for "RW" scripts from the above section. It's only ideal to flip the faces if it annoys you to view the models corrupted in viewport. Common uses A lot of things are possible by importing GTA map into 3ds Max. For instance, film makers are able to integrate their own models with ease, customized animations and even physics, FX and much more. MTA mappers can also use the program to create mappings in 3D with a lot of powerful tools to ease the workflow. This can prove exceptionally useful for race maps due to Max's array functions to instance an object a thousand times along a curve to generate roads, loops and what not. Converting to FBX Instead of being restricted to Renderware and DFF formats, modelers can now import GTA map and then convert materials and the model components to be suitable with other programs and engines such as Cinema 4D, Unreal Engine and Unity. The conversion to FBX is in fact very simple. In order for DFF models to be converted, their material and lights needs to be converted too. GTA/RW material needs to be converted to standard scanline material. Normally it's only a matter of changing the material to standard and copying over the diffuse texture, and in rare cases, a specular and environment image as well. Lights may need to be adjusted to show the color that they're given in their IDE (if they import as dummies). Once that's done, the models may be exported as FBX (or any other model format). To correctly save as FBX format, follow the below steps. Go to File -> Export -> Export selected. This ensures that only the selected assets are being added to the FBX file, and that none other e.g non-converted models interferes and breaks the file. Next, find a location for the FBX file and name it to your liking. Below are the ideal settings for a GTA map to be exported as FBX. Smoothing Groups - enable if your lighting won't rely on vertex colors. You'll instead want to use smoothing groups to define model's shading. Preserve instances - enable if your scene utilises instances, disable if your scene only contains unique models. Preserve edge orientation Embed Media - Max will reference the textures used in the models, search for them in your texture folder, then paste the ones used in the scene into the FBX file. Very useful to cut down on texture folder size as it'll only use the ones that are used by your map. Can save some computer disk space. This can be useful if your client or member doesn't have access to your global texture folder. Units - normally you'll want metric/meters as that's the system used by SA. Axis Conversion - SA is Z-up whereas VC is Y-up (wrong?), so keep as Z-up. It's optional whether you should export lights or not. Look through the settings just to ensure that everything adapts to your preferences. If it does, hit OK and it will export. If you get an error message, make sure you've only selected the models with standard material. Mental Ray adaption For those who own a 3ds Max copy of version 2017 or higher, has the ability to change standard scanline materials to Physical among other material types within a few clicks using the Scene Converter (through the Rendering menu). For simple materials with diffuse maps, there are also other tools and 3rd party plugins that can convert between Vray/Corona/Arnold/Mental Ray and so forth. Having Standard Scanline materials in a Mental Ray scene can add to performance and render speed; it's always a good idea to keep materials corresponding to the active renderer. Arch & Design material also has a lot more functionality than Scanline does. In order to convert Scanline to Arch & Design, install the Material Converter from the following site. https://www.motivacg.com/downloads/scripts-3dsmax/. With this tool, simply choose the materials type according to their renderer. On conversion, all standard materials including multimaterials are converted into Arch & Design for use with the Mental Ray renderer. Designing and rendering a scene 3D rendering can be a beneficial way of visualizing a project or simply create art out of San Andreas. The above was shot on 3ds Max using Mental Ray as renderer in a scene lit by daylight system and parti volume shader as means of environment fog. A separate render pass was exported on the graphics card for Ambient Occlusion. The beauty and AO map were composited together and then color corrected. I tried to imitate "Welcome to the 80's" style of his GTA SA remastered CG shots. Down below I'll have a video and few lines of text on what I did to achieve part of what you see. It will by no means be the perfect guide to produce this exact image, but it hopefully will help people get started and troubleshoot issues through the process of setting up a scene. In the below video's description there are additional links and information. It's important to pause the video once a new subtitle appears, as they do not show for a very long duration. For those looking to add character animations to their project: Own GTA Anim Manager. Minor program that allows you to dig into IFP archives and change/modify their contents. Useful for adding/removing IFP animations in IFP archives. Own Kam's IFP scripts (comes with the DFF IO etc). Allows you to import animations onto skin rigs. It is a good idea to make necessary changes to rigs before applying animations. Necessary changes could be subdivision/smooth, material setup etcetera. After an animation is applied it's recommended to parent the Root bone to a dummy, so the new dummy can rotate the rig without the rig getting deformed while posing it. Mapping using Max Over the years a few community contributors have designed tools which export map files from Max, as well as internet converters which convert IPL to MTA. Which one to use really boils down to user preference. The most common however would be Kam's Map IO. This has the functions to export position/rotation data through IPL and IDE file types. These can be parsed/converted through 3rd party tools not necessarily related to Max. Another Max method of generating MTA maps is exporting using 50p's Map exporter. The beauty of creating maps in Max versus MTA map editor, is the ability to work in 3D and really isolate the mapping from everything else with a few clicks. It also offers great scene management, granting users options to import SA map for position reference, hide the SA map while creating their custom map etcetera. It also allows for visualizations of mappings using modern 3D graphics engines. 3ds Max has a lot of tools to create arrays or scatter objects around the surface of another object, those objects' pos and rot data can then be converted to MTA map file format. Mapping in Max can prove exceptionally handy for race mappers, or for those looking to group objects and move them all together, map with attention to precision or instance thousands and thousands of objects.
    1 point
  5. Introduction Properly handling your user's credentials (username and password) is very important, this guide gives detailed information and code samples on how to (properly) implement an account "system". This guide assumes you are not using MTA's built in accounts. Disclaimer: Any code shown in this tutorial is purely for illustrative purposes, and is not finished code, you should use it as a guideline, not a solution. Content The following topics will be discussed in this tutorial: How to hash and salt passwords (register) How to validate a hashed password (login) How to add "remember-me" functionality How to offer password recovery How to migrate from an older hashing algorithm, to a newer one Using a password policy (Extra) How to handle database leaks (Extra) What even is hashing and salting? For the purpose of this tutorial we expect a database structure which is somewhat similar to this: How to hash and salt passwords When you have a user register on your service, that user expects of you to keep their password safe. Whilst it is generally bad practice to use the same password for multiple services there are many users that still do so. Because of this it's crucial that you save the user's passwords in a way that an attacker will be unable to find out the original password the user typed. This includes if they have full access to your database. In order to do this we do what is called "Password hashing" When a user registers, your server receives the user's intended username, (email) and password. Before you save that password to the database you have to hash and salt this, luckily MTA has a function that takes care of this. If you wish to know more about what exactly it does, there's more information at the end of this tutorial. In order to hash this password you use the passwordHash function. This function is relatively slow (by design), so it is highly recommended you pass a callback to this function, so your entire script doesn't wait for it to complete. https://wiki.multitheftauto.com/wiki/PasswordHash local mysqlHandle -- we're assuming this value is set somewhere else in code function register(username, email, password) local player = client passwordHash(password, "bcrypt", {}, function(hashedPassword) -- callback function for hashing the password local handle = dbQuery(function(handle) -- callback function for storing the user in the database if (handle) then triggerClientEvent(player, "registrationSuccess") -- inform the user that registration was successful else triggerClientEvent(player, "registrationFailed") end end,mysqlHandle, "INSERT INTO users (email, username, password) VALUES (?, ?, ?)", email, username, hashedPassword) end) end addEvent("passwordTutorial:register", true) addEventHandler("passwordTutorial:register", getRootElement(), register) How to validate a hashed password Once you've saved the hashed password to your database you need to do a little bit of additional work when authenticating the user. Luckily MTA offers a passwordVerify() function, which is the counterpart of the previously discussed passwordHash(). What this function does it basically hashes the password in the same way, resulting in the same output hash. https://wiki.multitheftauto.com/wiki/passwordVerify In order to get the account the user is trying to log in to you have to do a query for an account which has the user submitted username, and of which the password matches through passwordVerify. PasswordVerify is also a relatively slow function, thus you should use a callback. function login(username, password) local player = client dbQuery(function (handle) -- callback for the query selecting the user by username local results = dbPoll(handle, -1) if (#results == 0) then triggerClientEvent(player, "loginFailed") return end passwordVerify(password, results[1].password, {}, function(matches) -- callback function for the password verify if (matches) then -- Do anything you wish with the database result to log the player in with the rest of your scripts triggerClientEvent(player, "loginSuccess") else triggerClientEvent(player, "loginFailed") end end) end, mysqlHandle, "SELECT * FROM users WHERE username = ?", username) end addEvent("passwordTutorial:login", true) addEventHandler("passwordTutorial:login", getRootElement(), login) How to add "remember me" functionality When users on your server log in, they often do not want to have to enter their username and password every time they want to log in. In order to satisfy this need you can implement a "remember me" function. What I've seen happen in the past, is people would store the user's password (encrypted) on the client. This is NOT safe, and should never be done! In order to properly use remember me functionality what you would do is upon login in, generate a random string. The longer the better. This random string is what we call an access token. You would then allow the user to log in with such an access token, preferably only once generating a new access token each time one is used. To implement this you would generate that token every time the user logs in, whilst they have "remember me" enabled. You will have to save this token in your database alongside your user. For extra security you could also store the user's serial alongside the access token, you can then validate that the access token is being used from the same device. https://wiki.multitheftauto.com/wiki/Filepath function login(username, password) -- This code should be put in the callback to the dbQuery function, but to keep the example clean that's not shown here if (rememberMe) then local token = generateRandomToken() dbQuery(mysqlHandle, "INSERT INTO access_tokens (user_id, token) VALUES (?, ?)", results[1].id, token) triggerClientEvent(player, "loginSuccess", token) end end function rememberMeLogin(username, accessToken) -- this function handles a user's login attempt dbQuery(function(handle) local result = dbPoll(handle, -1) if (#result == 0) then triggerClientEvent(player, "loginFailed") else -- Do anything you wish with the database result to log the player in with the rest of your scripts triggerClientEvent(player, "loginSuccess") end end,mysqlHandle, "SELECT users.* FROM access_tokens JOIN users ON users.id = access_tokens.user_id WHERE users.username = ?", username) end addEvent("passwordTutorial:loginRememberMe", true) addEventHandler("passwordTutorial:loginRememberMe", getRootElement(), login) How to offer password recovery Offering password recovery requires a little bit more than just your MTA server. Generally password recovery is done with emails. So you would need access to an email server / service which you can use to send an email from an HTTP request. (Like you can do with fetchRemote()). When a user requests a password reset, have them enter the email you registered with. You then fetch a user from the database with this email address. You would then store a password recovery token for this user. This token, just like the remember me token, is a random string. Ideally, you would send the user a link with a password reset form that goes to a webpage where the user can reset their password. You could do this with an external service, like a webserver. Or you could use MTA's Resource web access for it, but if you do make sure you handle permissions properly for anything else that uses this. However another option would be to have the user copy paste the generated token from the email into you server's login window. Which of the two solutions you pick is up to you, my personal preference goes to the one with the link in the email. But in either case the server side logic is the same. When the user attempts to perform password recovery, verify that the token they give you belongs to a user, and then change the password to the newly requested password. Make sure you hash this password the same way you do in your login. function requestPasswordRecovery(email) dbQuery(function (handle)) local result = dbPoll(handle, -1) if (#result == 0) then triggerClientEvent(player, "passwordTutorial:passwordRecoveryRequestFailed") else local token = generateRandomToken() dbExec(mysqlHandle, "UPDATE user_data SET recovery_token = ?", token) -- mail the token to the user, mail implementation depends on the mail server/service you use triggerClientEvent(player, "passwordTutorial:passwordRecoveryRequestSuccess") end end, mysqlHandle, "SELECT * FROM users WHERE email = ?", email) end function recoverPassword(recoveryToken, password) dbQuery(function (handle) local result = dbPoll(handle, -1) if (#result == 0) then -- this is only valid if you have the user request password recovery from ingame triggerClientEvent(player, "passwordTutorial:passwordRecoveryFailed") else passwordHash(password, "bcrypt", {}, function(hashedPassword) -- callback function for hashing the password local handle = dbExec(function(handle) -- callback function for storing the new password in the database if (handle) then -- this is only valid if you have the user request password recovery from ingame triggerClientEvent(player, "passwordTutorial:passwordRecoverySuccess") -- inform the user that registration was successful else -- this is only valid if you have the user request password recovery from ingame triggerClientEvent(player, "passwordTutorial:passwordRecoveryFailed") end end,mysqlHandle, "UPDATE user_data SET password = ? WHERE recovery_token = ?", username, recoveryToken) end) end end, "SELECT * FROM users WHERE recovery_token = ?", recoveryToken) end Besides changing the password, it's important you also delete any access tokens that user might have if you're using remember me functionality. It is also good practice to make recovery tokens expiry after a certain amount of times, and not allow a recovery token to be created whilst one is already in progress. This prevents a user from sending a large number of emails from your service. How to migrate from an older hashing algorithm, to a newer one Maybe after reading this topic you realise that your password security is not what it should be. So you want to change your old password hashing / validation logic to the ones explained in this topic. And due to the nature that hashes can not be "unhashed", you can't simply migrate your passwords over. So in order to migrate the passwords what you have to do is when a user logs in, first validate their password with the old hashing algorithm. If this matches, then hash (and salt) it with your new hashing algorithm and save it in your database. Make sure to delete the old password otherwise your password security is not any better than before. Using a password policy Passwords policies are important to prevent your users from picking a password that is too easily cracked / brute forced. Many password policies come in the form of "Must have at least one capital letter, one digit and one number". But that discards that fact that the best way to make your password more difficult to crack, is making your password longer. So in the code snippet below is a function that measures the 'search space' of a password. The search space of a password is the amount of possible passwords there are with a certain combination of characters. In order to use this, you would have to set a minimum password search space when a user registers for an account. This minimum is up for you to set, but be reasonable, you shouldn't expect a user's password to be impossible to remember / create. I recommend playing with the function a bit to see what values you get out of it, and pick something you believe is sensible. function getPasswordSearchSpace(password) local lowerCase = password:find("%l") and 26 or 0 local upperCase = password:find("%u") and 26 or 0 local digits = password:find("%d") and 10 or 0 local symbols = password:find("%W") and 32 or 0 local length = password:len() return (lowerCase + upperCase + digits + symbols) ^ length end -- The below function calls are to indicate the difference in search space for a set of passwords print(getPasswordSearchSpace("a")) print(getPasswordSearchSpace("abc")) print(getPasswordSearchSpace("Abc")) print(getPasswordSearchSpace("Ab!")) print(getPasswordSearchSpace("Ab!0")) print(getPasswordSearchSpace("Mu#9A0h.")) print(getPasswordSearchSpace("This is a demonstration of how easy an incredibly strong password is to remember")) How to handle database leaks If you have reason to believe that your database has been leaked or otherwise compromised, it is important that your first course of action is removing any access tokens stored in your database. Once you have done that you have to inform your users. Whilst when properly hashed and salted it's extremely difficult / time consuming to find out a user's password it is still a possibility. So you should inform your users of the breach, tell them that their passwords were properly hashed, and they do not need to fear for their passwords immediately. However you should suggest to your users that they change their password either way, just in case. What even is hashing and salting? Hashing has been brought up several times in this tutorial, whilst you do not need to know what it is / does, you might be interested in knowing regardless. I won't be going too far in depth as I simply do not have the knowledge, but the basic idea of hashing is this: When you hash anything, you turn it into a string of characters (or other value) that has no relation to the original input, other than when you hash the original input again, it will always generate the same hash. For example, when you hash the string 'banana' using the sha512 hashing algorithm, it will always yield the output: "F8E3183D38E6C51889582CB260AB825252F395B4AC8FB0E6B13E9A71F7C10A80D5301E4A949F2783CB0C20205F1D850F87045F4420AD2271C8FD5F0CD8944BE3" Now hashing can not be reverted, you can not "unhash" a hash, so in order to verify someone's password you hash it again, and see if the two hashes are the exact same. Now this is great, passwords are safely stored. However there is still more to do, salting. Salting is adding some random data to your password prior to hashing it. This prevents when two users (on the same service, or on others) have the same password, that their hashes are also the same. Meaning if one password is compromised, the other password is not. It is important that a salt is random for every user in your application, not one salt for your entire application. Now you might think we didn't do any salting in the code / tutorial above. This is not true, we just didn't do it ourselves. MTA's passwordHash function actually hashes the passwords and salts it, this salt is then stored in the output hash it self, just before the actual password hash. In the case of bcrypt it actually stores a little bit more info in the resulting hash, but you need not worry about that.
    1 point
×
×
  • Create New...