• Welcome to Valhalla Legends Archive.
 

PHP-Encryption

Started by hismajesty, December 22, 2003, 09:28 PM

Previous topic - Next topic

UserLoser.

Quote from: Kp on December 27, 2003, 07:00 PM
This depends in part on who he's trying to protect against.  If he's dubious about who else might be reading through the stored data, hashing the password server side is good enough if the intruder can only read saved data (cannot listen to your chat with the client).  Failure to do this is what got Trance (in part, anyway): the passwords were stored cleartext, and a malicious individual had read access to the password storage medium.  If the passwords had been stored as a hash, it would have taken at least a little bit of work for the attacker to determine Trance's password in cleartext form.

If the hash is computed client side, then, as you say, obtaining the hash is as good as having the password - for purposes of impersonating the user.  However, even in this case, having the hash of the password would not immediately grant knowledge of the user's cleartext password, so you could only impersonate him/her in this one location.

In my opinion, a good compromise between effort and security is to take the approach Blizzard uses -- a two layer hashing of the password, with the server remembering the one-pass hash and recomputing the two-pass hash from the stored data + the challenge/response cookies.

How are the BotNet accounts & passwords saved?

Kp

Quote from: UserLoser. on December 27, 2003, 08:36 PMHow are the BotNet accounts & passwords saved?

They're still saved however Skywing had them configured to be saved.  I haven't even touched his account modification functions (there's been no need).
[19:20:23] (BotNet) <[vL]Kp> Any idiot can make a bot with CSB, and many do!

Adron


storedhash = read();
randomvalue1 = read();
password = recv();
hash = md5(password + randomvalue1);
for(i = 0; i < 1000000; i++)
  hash = md5(hash + randomvalue1);
if(storedhash == hash)
  success();


Very secure!

UserLoser.

Quote from: Adron on January 03, 2004, 05:42 PM

storedhash = read();
randomvalue1 = read();
password = recv();
hash = md5(password + randomvalue1);
for(i = 0; i < 1000000; i++)
  hash = md5(hash + randomvalue1);
if(storedhash == hash)
  success();


Very secure!


Is there any language/scripting you don't know? :P

Adron

Quote from: UserLoser. on January 03, 2004, 06:37 PM
Quote from: Adron on January 03, 2004, 05:42 PM

storedhash = read();
randomvalue1 = read();
password = recv();
hash = md5(password + randomvalue1);
for(i = 0; i < 1000000; i++)
  hash = md5(hash + randomvalue1);
if(storedhash == hash)
  success();


Very secure!


Is there any language/scripting you don't know? :P

That's probably not valid php btw... I've only done very little php scripting, and this was more like pseudocode. I was just suggesting that he hash it one million times for improved security.

j0k3r

#20
He missed an end if.

[edit]and an end for[/edit]
QuoteAnyone attempting to generate random numbers by deterministic means is, of course, living in a state of sin
John Vo

dxoigmn

#21
Quote from: j0k3r on January 03, 2004, 09:31 PM
He missed an end if.

[edit]and an end for[/edit]

He did?

Adron's code is fun.

Adron

It's not the code that matters, it's the idea it tries to convey.

dxoigmn

Quote from: Adron on January 07, 2004, 04:14 PM
It's not the code that matters, it's the idea it tries to convey.

That's why it's fun :)

venox

Quote from: j0k3r on January 03, 2004, 09:31 PM
He missed an end if.

[edit]and an end for[/edit]

Actually, if you want to get technical, in PHP, if you are only doing 1 thing in an if/for statement the { } are not required, therefore..

if($blah)
   do_soemthing();

or

for($i = 0; $i > 10; $i++)
   do_something();

is just fine..