Joshua Posted December 28, 2009 Posted December 28, 2009 Ok, I'd like to Re-iterate to everyone here you CANNOT You're unable to view this code. Viewing code within this forum requires registration, you can register here for free. Install this on an existing game. The simple reason is, you are most likely all using an Md5 Encrytpion, moving to a salted sha1 will make ALL of your users passwords invalid and to go through and manually change all of these would take a decade. So, with that being said, this is for NEW GAMES only who can reset their database if need be. This is 10x's better to use than md5 as Salted and Sha1 is MUCH harder to Decrypt than md5 is. here we go. Open up Register.php. Find This You're unable to view this code. Viewing code within this forum requires registration, you can register here for free. Again look in this query You're unable to view this code. Viewing code within this forum requires registration, you can register here for free. Find the '{$_POST['password']}' bit. Overwrite '{$_POST['password']}' with You're unable to view this code. Viewing code within this forum requires registration, you can register here for free. Save/close. Open up Authenticate.php Find You're unable to view this code. Viewing code within this forum requires registration, you can register here for free. ABOVE add You're unable to view this code. Viewing code within this forum requires registration, you can register here for free. Next go back to You're unable to view this code. Viewing code within this forum requires registration, you can register here for free. Find '{$_POST['password']} if you have this sprintf'd just look for $_POST['password'] Replace the password bit with You're unable to view this code. Viewing code within this forum requires registration, you can register here for free. you may need to add { } around it {$salted_hash} Close and Save. Next Open up Preferances.php This is my Password Change function. This will vary on which preferances you use and how you have it laid out You're unable to view this code. Viewing code within this forum requires registration, you can register here for free. And that is it. For those that would like me to post up my preferances to keep it easy just ask, This in my opinion is far better than md5 and much harder to hack as there arent that many rainbow tables that can decrypt salted sha1 passwords. Quote
rulerofzu Posted December 28, 2009 Posted December 28, 2009 You *could* add this into current games. Use a forgot password function on login which is also set to create the password with the salt sha512 hash. Make an announcement by which methods you have available. Inform your players new password system will be introduced etc....they can then reset their passwords and login no problem and everyone is running on a more secured password system. Quote
CrazyT Posted December 28, 2009 Posted December 28, 2009 Why even use the same salt for every user? Use a different salt for every user is a better option. ;) Or.. Don't use any of them hashing methods and make your own. :) Quote
Joshua Posted December 28, 2009 Author Posted December 28, 2009 I'm not "that" good yet T ;) This is just something for everyone to increase their security a little bit You can't say sha1 salted is easy to decrypt :P Quote
Joshua Posted December 28, 2009 Author Posted December 28, 2009 You *could* add this into current games. Use a forgot password function on login which is also set to create the password with the salt sha512 hash. Make an announcement by which methods you have available. Inform your players new password system will be introduced etc....they can then reset their passwords and login no problem and everyone is running on a more secured password system. I wouldnt suggest it and here is why. The users that arent logged in and don't get the announcement wont be able to log-in. You stand a chance at losing a lot of users as not all of them will think to use the password reset. You "could" But meh. Quote
rulerofzu Posted December 28, 2009 Posted December 28, 2009 Like I said you COULD...which I prefer to cannot. Crazy-T.... if you use a random salt. Dont you have to store this for verification so calling the rand salt hash for everytime they login. You could also add in their usename into the hash. $salt . $password . $username Quote
CrazyT Posted December 28, 2009 Posted December 28, 2009 I'm not "that" good yet T ;)You can't say sha1 salted is easy to decrypt :P I would like to see you decrypt a sha1 password or even md5. :) Yeah there is rainbow tables..... Quote
Zeggy Posted December 28, 2009 Posted December 28, 2009 It is impossible to decrypt a hash... And @Crazy-T: Yes, you could write your own hash algorithm, but it is going to be nowhere near as good as SHA-1 or even MD5... Regarding the original topic: There are many ways to make your passwords more 'secure'. For example (some have already been mentioned), using different salts for each user, using multiple salts, rehashing, using more than one hash algorithm (md5+sha1?), etc. ALso, I think ImmortalThug forgot to mention - the salt needs to be a large random string. Just use some kind of string generator to generate a random string of >128 characters. If you use a salt that's 5 letters long, you're completely missing the point of using a salt :) And once you use a salt to hash a password, you must never change the salt again, otherwise you can't use the hash to verify anything anymore! Quote
Joshua Posted December 28, 2009 Author Posted December 28, 2009 Oops yea, forgot to mention that last bit Zeggy. I personally went with something along the lines of this for my salt &#JJFKK993KKD337r98LFKSDJF#@$#*()@&kdkfajdj$&)*(#%(*)#&$%Klk shrugz :P Quote
Dave Posted December 28, 2009 Posted December 28, 2009 Oops yea, forgot to mention that last bit Zeggy. I personally went with something along the lines of this for my salt &#JJFKK993KKD337r98LFKSDJF#@$#*()@&kdkfajdj$&)*(#%(*)#&$%Klk shrugz :P Should be longer... Quote
Danny696 Posted December 28, 2009 Posted December 28, 2009 Wouldnt their username work better,so its different for everyone? Quote
Dave Posted December 28, 2009 Posted December 28, 2009 Wouldnt their username work better,so its different for everyone?Ultimately you would want something like eh9g35g93j4f9u394fu934ut34T£$RTq3F£$T/34G?£$%G2$%"3EG"$H£$%H£^H£tb34h£$%H"£h$b$%^34^%2G£5g"£%F"£$$£&^3^435^3g4vg345345g (This long string should be around 150 chars, and will be different for every user) The users password The users username Then it would be pretty hard to get the users password :P Quote
Zero-Affect Posted December 28, 2009 Posted December 28, 2009 lol @ this I actually did this lately on my website using SHA512 due to a article by a MWG staff member, which im sure is where this was inspired from. SALT is a good idea but 150 char SALT + max 32 char password now that's 182 chars (MAX) into a SHA512 hash there's gotta be a issue there, also i assumed salt was only added to disallow rainbow chart compares SALT = 123 PASS = abc SALT+PASS = 123abc encrypted into SHA512 = 7b6ad79b346fb6951275343948e13c1b4ebca82a5452a6c5d15684377f096ca927506a23a847e6e046061399631b16fc2820c8b0e02d0ea87aa5a203a77c2a7e adding a 150 char SALT seems idiotic... SHA512 takes approx 45655.965 milliseconds (45.655964999999995 seconds) with 1000 KB of random data to generate. i'd say random 50 chars (everyone's the same) as the salt would work just fine, i mean if your website/game is secure you have nothing to worry about. Quote
Eternal Posted December 28, 2009 Posted December 28, 2009 lol9 little hint ;) http://dev.mysql.com/doc/refman/5.0/en/encryption-functions.html Quote
iR00T Posted December 29, 2009 Posted December 29, 2009 Wouldnt their username work better,so its different for everyone?Ultimately you would want something like eh9g35g93j4f9u394fu934ut34T£$RTq3F£$T/34G?£$%G2$%"3EG"$H£$%H£^H£tb34h£$%H"£h$b$%^34^%2G£5g"£%F"£$$£&^3^435^3g4vg345345g (This long string should be around 150 chars, and will be different for every user) The users password The users username Then it would be pretty hard to get the users password :P I would of went a bit well not abit a hell of a lot longer, I would of literally sit there for 10 minutes pressing random stuff on my keyboard Quote
Zero-Affect Posted December 29, 2009 Posted December 29, 2009 Ok, I'd like to Re-iterate to everyone here you CANNOT You're unable to view this code. Viewing code within this forum requires registration, you can register here for free. Install this on an existing game. It's possible just depends on how you do it. Authenticate.php there's your hint;) think about it... Quote
Zeggy Posted December 29, 2009 Posted December 29, 2009 SALT is a good idea but 150 char SALT + max 32 char password now that's 182 chars (MAX) into a SHA512 hash there's gotta be a issue there, also i assumed salt was only added to disallow rainbow chart comparesOkay, 150 char salt + 32 char password = 182 chars. What's your point? SALT = 123 PASS = abc SALT+PASS = 123abc encrypted into SHA512 = 7b6ad79b346fb6951275343948e13c1b4ebca82a5452a6c5d15684377f096ca927506a23a847e6e046061399631b16fc2820c8b0e02d0ea87aa5a203a77c2a7e Thanks for a demonstration of hashing with a salt. adding a 150 char SALT seems idiotic...Why? SHA512 takes approx 45655.965 milliseconds (45.655964999999995 seconds) with 1000 KB of random data to generate.What's your point? i'd say random 50 chars (everyone's the same) as the salt would work just fine, i mean if your website/game is secure you have nothing to worry about.If you use the same salt of length 50 for everybody, IF somebody is able to match a password to a hash with a rainbow table, once that is done then everybody elses passwords can be matched even faster by using a new rainbow table which uses the salt. All it takes is one match to make your salt completely meaningless. Quote
Zero-Affect Posted December 29, 2009 Posted December 29, 2009 SALT is a good idea but 150 char SALT + max 32 char password now that's 182 chars (MAX) into a SHA512 hash there's gotta be a issue there, also i assumed salt was only added to disallow rainbow chart comparesOkay, 150 char salt + 32 char password = 182 chars. What's your point? SALT = 123 PASS = abc SALT+PASS = 123abc encrypted into SHA512 = 7b6ad79b346fb6951275343948e13c1b4ebca82a5452a6c5d15684377f096ca927506a23a847e6e046061399631b16fc2820c8b0e02d0ea87aa5a203a77c2a7e Thanks for a demonstration of hashing with a salt. adding a 150 char SALT seems idiotic...Why? SHA512 takes approx 45655.965 milliseconds (45.655964999999995 seconds) with 1000 KB of random data to generate.What's your point? i'd say random 50 chars (everyone's the same) as the salt would work just fine, i mean if your website/game is secure you have nothing to worry about.If you use the same salt of length 50 for everybody, IF somebody is able to match a password to a hash with a rainbow table, once that is done then everybody elses passwords can be matched even faster by using a new rainbow table which uses the salt. All it takes is one match to make your salt completely meaningless. You have a point there but lets just see here... IF THEY CAN PULL THE PASSWORD FROM THE DATABASE THEN PULLING THE SALT IS A DODDLE! I thought i'd bold it for you just so you got the pictue. Also what is the odds of someone guessing a 50 char salt with random chars? i bet it's slim but im sure 150 char salt would be slimmer? who seriously cares your now saying that 182 char password hashed is a good thing even though it would load a little slower my reason of saying it's idiotic is because i personally think it is wrong. I am sure if a real Programmer came here and viewed this they would totally agree (that's not a compliment darling ;) ) but im no professional so i could be wrong and then again so could you... Please don't come back with storing SALT in files :| Quote
Zeggy Posted December 29, 2009 Posted December 29, 2009 IF THEY CAN PULL THE PASSWORD FROM THE DATABASE THEN PULLING THE SALT IS A DODDLE!Great, you just invalidated your own opinion as well as mine. Of course if they can get the password from the database then you're screwed. If they have access to the database, then getting a player's password isn't even needed. The point is that if somebody were to able to get a hashed password by some other means, there's no way they can do anything with it. Also what is the odds of someone guessing a 50 char salt with random chars? i bet it's slim but im sure 150 char salt would be slimmer? 150 chars is a hell of a lot harder to 'guess' than 50 chars. Do you really think people sit there typing 50 characters of random strings until they get something? This stuff can be computed. who seriously cares your now saying that 182 char password hashed is a good thing even though it would load a little slower my reason of saying it's idiotic is because i personally think it is wrong.I didn't say that. But I would say a 182 char password hashed is better than 50 characters hashed. It would load a little slower?! Are you serious? Go do some benchmarking and then come reply again. I hope you know that hashing is a very common method of validating data other than passwords, and hash algorithms can be applied to huge files. I am sure if a real Programmer came here and viewed this they would totally agree (that's not a compliment darling ;) ) but im no professional so i could be wrong and then again so could you...At least you admit you're not a real programmer. How do you know I'm not? Please don't come back with storing SALT in files :|And what's wrong with that? Where do you store your single, 50 character salt then? Do you have a table in your database labeled salt, with one column and one row containing 50 characters? Quote
Zero-Affect Posted December 29, 2009 Posted December 29, 2009 Great, you just invalidated your own opinion as well as mine. Of course if they can get the password from the database then you're screwed. If they have access to the database, then getting a player's password isn't even needed. The point is that if somebody were to able to get a hashed password by some other means, there's no way they can do anything with it. 150 chars is a hell of a lot harder to 'guess' than 50 chars. Do you really think people sit there typing 50 characters of random strings until they get something? This stuff can be computed. I didn't say that. But I would say a 182 char password hashed is better than 50 characters hashed. It would load a little slower?! Are you serious? Go do some benchmarking and then come reply again. I hope you know that hashing is a very common method of validating data other than passwords, and hash algorithms can be applied to huge files. At least you admit you're not a real programmer. How do you know I'm not? And what's wrong with that? Where do you store your single, 50 character salt then? Do you have a table in your database labeled salt, with one column and one row containing 50 characters? Ok maybe i have to explain this in more detail so you understand, i basically said we have our different opinions right? I also said neither of us are professionals and since you said how do i know your not, well then maybe i'd see knowledge in your replies rather than opinionated bs. Storing a SALT into a DB is obviously stupid with MC anyways. When i said don't reply with saying store them in files i was referring to the USER random 150 char SALTS which you lot seem to think would be great... (can't wait till someone proves you lot wrong), 150 chars per user imagine that for a big game like WoW... or something small like DarkOrbit so your storing 150 random chars in some way related to a userid in the database rather separate from the members/users table wow so say for example 1million users a separate table with two columns userid and salt(150 random chars) sounds fun doesn't it... that's approx 150million chars held in the salt section alone... [mysql]SELECT `SALT` FROM `hidden_SALT`[/mysql] ^be a fun day eh;) When i referred to storing in files i was referring to .txt on the website not inside the register.php (come on) the single SALT could be stored 50 or even 150 chars i don't disagree with that much but 150 chars per user and then storing it in the SQL somewhere. So lets clear something up, Your a professional? Quote
Zeggy Posted December 29, 2009 Posted December 29, 2009 maybe i'd see knowledge in your replies rather than opinionated bs.Ouch, that hurts. I don't see any reason to reply to this comment. How about we stay on topic? Storing a SALT into a DB is obviously stupid with MC anyways.Okay, I don't use MC so I wouldn't know. 150 chars per user imagine that for a big game like WoW... or something small like DarkOrbit so your storing 150 random chars in some way related to a userid in the database rather separate from the members/users table wowYes, let's stop storing data because we'll be wasting disk space. so say for example 1million users a separate table with two columns userid and salt(150 random chars) sounds fun doesn't it... that's approx 150million chars held in the salt section alone... SHA512 gives a hash of 512 bits... In your scenario, the storage used for saving passwords is half a gigabyte. The salt is only a little over twice that amount of storage, assuming a fixed-width 8 bit character set encoding. With 1 million users, you can certainly afford 1.2gb diskspace. When i referred to storing in files i was referring to .txt on the website not inside the register.php (come on)And why not inside register.php? Are we to assume that your source code and file system as well as your database are all insecure in this hypothetical situation? In that case, I doubt any amount of hashing or salting or security could save that website. EDIT: Sorry, I wrote the above assuming there would be one hash. Of course, if you were to have a separate hash with each user, then it would be best to store them in a separate file/folder. the single SALT could be stored 50 or even 150 chars i don't disagree with that much but 150 chars per user and then storing it in the SQL somewhere.See, this single line has cleared up my confusion from the past two posts. All you needed was this sentence in the first post and I would know what you were arguing about. So lets clear something up, Your a professional?Yes. Quote
Zero-Affect Posted December 29, 2009 Posted December 29, 2009 Okay, I don't use MC so I wouldn't know. Your not using MC right... ill come back to this later then And why not inside register.php? Are we to assume that your source code and file system as well as your database are all insecure in this hypothetical situation? In that case, I doubt any amount of hashing or salting or security could save that website. You stated above you don't use MC so ill be kind, MC is INSECURE. See, this single line has cleared up my confusion from the past two posts. All you needed was this sentence in the first post and I would know what you were arguing about. So because i said a single SALT is ok at 150 chars your happy? WOW you made this entire conversation up just for that, your sad mate Yes. So wheres your Identification or online portfolio? Also the section of this thread is mccode/dbscode Game Engine » Free Plugins, so a professional who goes to forums and does what with the free work he see's? Quote
Zeggy Posted December 29, 2009 Posted December 29, 2009 So because i said a single SALT is ok at 150 chars your happy?No, stop jumping to conclusions and read the rest of that post. You know, the part before that line. All I meant by that line was, I didn't realize that was all you were arguing. Now it is clear for me what you are arguing about. And I still disagree. EDIT: Silly me. Quote
Zero-Affect Posted December 29, 2009 Posted December 29, 2009 Wow, you really love jumping to conclusions don't you? Now you're accusing me of what, stealing MC code for work? HAHA. That's just silly. Even I have seen the code running behind that script. I am a member of the forum. The forum is called Make Web Games, not MCCode Forum. Web games are a hobby for me. You say i jump to conclusions yet you just did it... You jumped to the conclusion that i was saying your a thief or something i was simply just asking if your a professional and don't use MC why are you here in the free section of the MC codes section of MWG? Sorry if you took that the wrong way it in no means meant what you assumed. I really don't want to identify myself for you, and I don't care if you believe me or not. Ok i was only asking... You know what's really sad? When somebody stops debating and starts attacking the debater. It just means they've got nothing left to say. So I'll stop replying. You're a troll or just stupid, either way it's a waste of time. Now forgive me but the bold section above in the quote is doing exactly what your accusing me of right? I simply wanted to argue the fact that 150 char SALT random per user is not needed when it could be just as secure with SET 50 char SALT in the file. (obviously 150 random per user would be statistically more secure - but not needed) Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.