tommymaster Posted September 24, 2018 Share Posted September 24, 2018 Hi, right now i am storing passwords in my database, that i use hash("sha512", ...) for the passwords on client side, and then send it to server side, and update the database with it. I have no other protection on passwords. Many told me that it's not safe, what can i do? Link to comment
JeViCo Posted September 24, 2018 Share Posted September 24, 2018 first of all i recommend you to use encodeString and decodeString to encrypt everything with your own password. Also you have to use those functions server-side to make your own password secure. 1 hour ago, tommymaster said: Many told me that it's not safe, what can i do? By the way your protection depends from your code. If you send password + some info which attach current account to player (for example serial) using triggerServerEvent function - that would not be safe at all. Another example: when player log in, he/she gets elementData with account id/account name and you send it server-side - this is unsafe too. You have to send only player's password using triggerServerEvent and get other information server-side @tommymaster 1 Link to comment
Dimos7 Posted September 24, 2018 Share Posted September 24, 2018 (edited) md5 Edited September 24, 2018 by Dimos7 Link to comment
tommymaster Posted September 24, 2018 Author Share Posted September 24, 2018 5 hours ago, JeViCo said: first of all i recommend you to use encodeString and decodeString to encrypt everything with your own password. Also you have to use those functions server-side to make your own password secure. By the way your protection depends from your code. If you send password + some info which attach current account to player (for example serial) using triggerServerEvent function - that would not be safe at all. Another example: when player log in, he/she gets elementData with account id/account name and you send it server-side - this is unsafe too. You have to send only player's password using triggerServerEvent and get other information server-side @tommymaster People told me to add salt to my passwords, but I don't really know what it does. Could you help me with that? So the simple hash("sha512", ...) will not be enough? Link to comment
Master_MTA Posted September 25, 2018 Share Posted September 25, 2018 (edited) 3 hours ago, tommymaster said: simple hash("sha512", ...) will not be enough it's not about enough or not it's about how do you will pass the variable from client side to the server side if you want to be more safe just encrypt it in booth side client,server that will be better Edited September 25, 2018 by Master_MTA Link to comment
tommymaster Posted September 25, 2018 Author Share Posted September 25, 2018 12 hours ago, Master_MTA said: it's not about enough or not it's about how do you will pass the variable from client side to the server side if you want to be more safe just encrypt it in booth side client,server that will be better so i should use hash both the client side and server side? Link to comment
Master_MTA Posted September 25, 2018 Share Posted September 25, 2018 (edited) 35 minutes ago, tommymaster said: so i should use hash both the client side and server side? and better to use double hash not only one like this hash('sha',tostring(hash('md5',pass))) you got it? Edited September 25, 2018 by Master_MTA 1 Link to comment
tommymaster Posted September 25, 2018 Author Share Posted September 25, 2018 yes, but would this be enough? Link to comment
Master_MTA Posted September 25, 2018 Share Posted September 25, 2018 1 minute ago, tommymaster said: yes, but would this be enough? yup i think so and better to make more than 2 hash if u want more hash=better security Link to comment
tommymaster Posted September 25, 2018 Author Share Posted September 25, 2018 you mean, use the hash("sha512", ...) on the password more than 2 times? Link to comment
Discord Moderators Megadreams Posted September 25, 2018 Discord Moderators Share Posted September 25, 2018 (edited) 22 hours ago, Dimos7 said: md5 Unsafe 41 minutes ago, Master_MTA said: and better to use double hash not only one like this hash('sha',tostring(hash('md5',pass))) you got it? Unnecessary, only eats up extra resources for no reason. What you should care most about is how to transfer the password safely to the server without running the risk of it being sniffed out by a man-in-the-middle attack. Luckily for you triggerServerEvent already encrypts the data being send, so you don't need to apply your own encryption. On the server you can then hash the password (using sha256, sha512 is overkill) together with a salt (that you store together with the password). I don't generally recommend hashing client-side as that may compromise the salt. You can also use the passwordHash and passwordVerify functions which is the most recommended solution (using "bcrypt" as the hashing algorithm). These functions automatically handle the salt for you and prevent so called 'timing attacks'. Edited September 25, 2018 by Megadreams 1 Link to comment
Master_MTA Posted September 25, 2018 Share Posted September 25, 2018 46 minutes ago, Megadreams said: ServerEvent already encrypts the data being send, i wasn't know that thx for info Link to comment
tommymaster Posted September 25, 2018 Author Share Posted September 25, 2018 2 hours ago, Megadreams said: Unsafe Unnecessary, only eats up extra resources for no reason. What you should care most about is how to transfer the password safely to the server without running the risk of it being sniffed out by a man-in-the-middle attack. Luckily for you triggerServerEvent already encrypts the data being send, so you don't need to apply your own encryption. On the server you can then hash the password (using sha256, sha512 is overkill) together with a salt (that you store together with the password). I don't generally recommend hashing client-side as that may compromise the salt. You can also use the passwordHash and passwordVerify functions which is the most recommended solution (using "bcrypt" as the hashing algorithm). These functions automatically handle the salt for you and prevent so called 'timing attacks'. could you please give me an example? Link to comment
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now