jingzhi Posted November 15, 2017 Posted November 15, 2017 Hello everyone, I am now working on a login system. I noticed in the mta wiki that it is recommended to use the function passwordHash to encrypt passwords. However, they also said that there can be short freezes if using this algorithm. Although I already used a call back function as they suggested, I still want to make sure it will not cause any lag in the server. Has anyone used this function yet? Please tell me what happens when using this function (especially on a server with many players). Thanks in advance!
Moderators IIYAMA Posted November 15, 2017 Moderators Posted November 15, 2017 Just keep the usage at a limit and you will be fine.
Fist Posted November 15, 2017 Posted November 15, 2017 There's no point using it, in order to work, you have to save hash to their account in order to verify it later on which means if someone gets a copy of your database, he'll know every passwords hash key to unhash it. Better is to make your own which requires custom functions in order to unhash it, not mta's built-in which can do anyone with no scripting knowledge.
quindo Posted November 15, 2017 Posted November 15, 2017 Please tell me you're not serious, never roll out your own crypto. Storing hashes from passwordHash is as safe as it gets, there's no "passwordUnhash", only feasible way of unhashing it are rainbow tables, but I'm sure mta salts the passwords, so it shouldn't be a problem. 1
Fist Posted November 16, 2017 Posted November 16, 2017 On 11/15/2017 at 13:01, quindo said: Please tell me you're not serious, never roll out your own crypto. Storing hashes from passwordHash is as safe as it gets, there's no "passwordUnhash", only feasible way of unhashing it are rainbow tables, but I'm sure mta salts the passwords, so it shouldn't be a problem. you've seen passwordHash and passwordVerify in work? You can check wiki's example.
quindo Posted November 16, 2017 Posted November 16, 2017 I sure did, passwordHash gives you hashed password, which you store in database, passwordVerify only checks if given password results in that given hash, you can't get password from hash. The original password isn't stored anywhere. 1
Moderators IIYAMA Posted November 16, 2017 Moderators Posted November 16, 2017 (edited) Even so you will need to brute force it, because it a one way encryption. passwordVerify can't convert them back to original, it can only check if a hash is the same as the original password. Which means you need the original password first. @quindo oh you were quicker haha I would say: Brute force + this function = ~2030+. (Not sure how long that would take) After all, if you want to make it more harder, you can use teaEncode on top of it. (which I do) https://wiki.multitheftauto.com/wiki/TeaEncode Problem solved. Edited November 16, 2017 by IIYAMA 1
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now