Jump to content

Password Encryption


tommymaster

Recommended Posts

Hi, right now i am storing passwords in my database, that i use hash("sha512", ...) for the passwords on client side, and then send it to server side, and update the database with it. I have no other protection on passwords. Many told me that it's not safe, what can i do?

Link to post

first of all i recommend you to use encodeString and decodeString to encrypt everything with your own password. Also you have to use those functions server-side to make your own password secure.

1 hour ago, tommymaster said:

Many told me that it's not safe, what can i do?

By the way your protection depends from your code. If you send password + some info which attach current account to player (for example serial) using triggerServerEvent function - that would not be safe at all. Another example: when player log in, he/she gets elementData with account id/account name and you send it server-side - this is unsafe too.

You have to send only player's password using triggerServerEvent and get other information server-side

@tommymaster

  • Thanks 1
Link to post
5 hours ago, JeViCo said:

first of all i recommend you to use encodeString and decodeString to encrypt everything with your own password. Also you have to use those functions server-side to make your own password secure.

By the way your protection depends from your code. If you send password + some info which attach current account to player (for example serial) using triggerServerEvent function - that would not be safe at all. Another example: when player log in, he/she gets elementData with account id/account name and you send it server-side - this is unsafe too. 

You have to send only player's password using triggerServerEvent and get other information server-side

@tommymaster

People told me to add salt to my passwords, but I don't really know what it does. Could you help me with that? So the simple hash("sha512", ...) will not be enough?

Link to post
3 hours ago, tommymaster said:

simple hash("sha512", ...) will not be enough

it's not about enough or not it's about how do you will pass the variable from client side to the server side 

if you want to be more safe just encrypt it in booth side client,server

that will be better

 

Edited by Master_MTA
Link to post
12 hours ago, Master_MTA said:

it's not about enough or not it's about how do you will pass the variable from client side to the server side 

if you want to be more safe just encrypt it in booth side client,server 

that will be better 

 

so i should use hash both the client side and server side?

Link to post
22 hours ago, Dimos7 said:

md5

Unsafe

41 minutes ago, Master_MTA said:

and better to use double hash not only one

like this

hash('sha',tostring(hash('md5',pass)))

you got it?

Unnecessary, only eats up extra resources for no reason.

What you should care most about is how to transfer the password safely to the server without running the risk of it being sniffed out by a man-in-the-middle attack. Luckily for you triggerServerEvent already encrypts the data being send, so you don't need to apply your own encryption. On the server you can then hash the password (using sha256, sha512 is overkill) together with a salt (that you store together with the password). I don't generally recommend hashing client-side as that may compromise the salt.

You can also use the passwordHash and passwordVerify functions which is the most recommended solution (using "bcrypt" as the hashing algorithm). These functions automatically handle the salt for you and prevent so called 'timing attacks'.

Edited by Megadreams
  • Like 1
Link to post
2 hours ago, Megadreams said:

Unsafe

Unnecessary, only eats up extra resources for no reason.

What you should care most about is how to transfer the password safely to the server without running the risk of it being sniffed out by a man-in-the-middle attack. Luckily for you triggerServerEvent already encrypts the data being send, so you don't need to apply your own encryption. On the server you can then hash the password (using sha256, sha512 is overkill) together with a salt (that you store together with the password). I don't generally recommend hashing client-side as that may compromise the salt.

You can also use the passwordHash and passwordVerify functions which is the most recommended solution (using "bcrypt" as the hashing algorithm). These functions automatically handle the salt for you and prevent so called 'timing attacks'.

could you please give me an example?

Link to post

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...