The purpose of a hash algorithm is to store passwords in a safe way. Hash algorithms are a lot more effective if they are being used with a _salt_. Some of the hashes in AuthMe don't have a salt and we'd like to stop them from being used.
In 5.4, if an unsalted hash is detected in the configuration, it will automatically be changed to SHA256—our default. You will not lose any data! The only thing that happens is that when a player logs in, his hash will be changed to SHA256. Eventually everyone will have a SHA256 in the database (or whatever hash you want to use instead).
We offer many hash algorithms with salts. They can be found at https://github.com/AuthMe/AuthMeReloaded/blob/master/docs/hash_algorithms.md. In particular, note the "Recommendation" column. The old hash can be added to the legacyHashes setting to ensure that everyone's login will still work.
We need to deprecate our hash options MD5, SHA1 and SHA512. All three implementations are unsalted. Especially the fact that SHA256 _is_ salted but its brothers aren't is confusing.
Maybe take a look at Argon2? Argon2 is currently the most secure password hashing algorithm, even more secure than scrypt. It could be a milestone too for 5.4.
Edit:
Original Argon2 source: https://github.com/P-H-C/phc-winner-argon2
Java implementation of Argon2: https://github.com/phxql/argon2-jvm
@Eyremba we can gladly do this, but please open a new issue for it ;)
We use MD5 we need this :)
Why can you not switch?
We use MD5 we need this :)
Wtf...? Why MD5? It can be cracked in 0,0001 seconds.
I need MD5 since I made a little website for my Minecraft server where users can login using the same password as AuthMe, that's easy to implement in php. I NEED MD5 unless someone gives me advice on how to authenticate users in php using SHA256, in the way AuthMe does...
@LoneWolfXXVI Why don't you use Bcrypt? It's the default password implementation in PHP since 5.5. (reference)
We have sample integrations at https://github.com/AuthMe/AuthMeReloaded/tree/master/samples/website_integration for sha256 and bcrypt
Edit: if you look at the bcrypt file you see that we just wrap two standard php functions. So I would suggest to migrate to that — this will be an easy task for you to change in your code
Ok I will check them out, I was looking for something like this in the first place, thanks!
md5 T^T i need this , because i dont know how to encode be like your code
md5 T^T i need this
Update to bcrypt, scrypt, or Argon2
i need some tips~
in php how can i encode same code for bcrypt???
or any else??
i use mysql get the code
in mysql it show me start with $2a$
and i use php password_hash("xxxx", PASSWORD_BCRYPT);
he show me start with $2y$
@@
Configure passwordHash=BCRYPT2Y in your AuthMe config and it will generate the same prefix as PHP does ($2y). It's an issue in the library we use.
Salt T^T
is It random???
salt = "$2y$10$" + salt
GENed code are not same everytimes
You mean the password hashes are not equal for the same user input? That's normal and a security feature. A random salt is generated each time to make the hash more unique. You have to use the PHP password_verify method to compare the passwords correctly. This will extract the salt to generate the same password hash.
Thanks you very much!!!
It must be left to the user's decision which hash algorithm wants to be use.
Personally I think more freedom = more better.
It must be left to the user's decision which hash algorithm wants to be use.
Yes, but md5 and unsalted hashes are way too insecure for storing passwords. Passwords of your server and all your users should be saved in a safe manner.
EDIT: FYI Deprecating means place a warning before we actually remove it.
Yes, but md5 and unsalted hashes are way too insecure for storing passwords. Passwords of your server and all your users should be saved in a safe manner.
It's user/server admin problem, not ours
If they want to use something unsafe, it's their problem.
However, the default plugin setting must be something with salt and heavy like PBKDF2 or BCrypt
For example i use SHA512 to hook in my site, simple & easy, because was for small server, not the big one,
and SHA512 still ok...
@fmohican We offer sample PHP integrations for BCRYPT, SHA256 and PBKDF2 at https://github.com/AuthMe/AuthMeReloaded/tree/master/samples/website_integration
Really, the easiest way to hook into AuthMe database with PHP is with BCRYPT; if you look at its implementation, it's literally just a wrapper for the built-in PHP functions password_hash() and password_verify().
@ljacqu yah man i check that file, however for me isn't a problem i can make anytime or i can use your's , i just saying, for a small server isn't suitable to use hashed password with salt. Simple hashed password with good hashing algorithm like SHA2, SHA512 or at lasted MD5
In my case i can use plaintext, that isn't a problem, because at ~50/day (with a maximum 60) players isn't any problem to use unsalted and unhashed password if know to secure database server.
Of course, when we talk about a larger server with more than 500 players, we need to increase the security measures.
Anyway, that's just my personal opinion. Do not judge me.
isn't any problem to use unsalted and unhashed password if know to secure database server.
security tips 2017
@sgdc3 Yes I'm 100% sure that one of 20 player is a cracker dealing with security issues and cracking your password to get some shit like diamond. xDDD
We talk about kid's who play a game. If someone really want to crack your server be sure he will do.
@fmohican These "kids" could use the same password on other sites. The correct behaviour to face this situation is the use of a good hashing method, it's a form of respect to players...
You should consider that your users base is not that different from the others.
@HexelDev i don't care about their password. You probably think I'm rude. But they are also rude when call admin/mod and ask " X steal my items!!! BAN BAN BAN!". Most do not understand what the player vs. the player means. Don't mind, lets be on topic.
It is not worth using the salted password for small servers. I understand that this plugin targets lager server, but I say don't neglect the little ones and the will of the administrators/owners.
As I said and I repeat, most have barely discovered the internet. There is no point in complicating more than necessary.
It is not worth using the salted password for small servers
@fmohican Are you talking about the performance of using a good hashing algorithm. First I think it's more important about security and second I highly doubt you will notice the difference especially if it's a small server and only used for once every player join.
SHA2, SHA512 or at lasted MD5
Taking md5 as an example. md5 is complete no-go for hashing passwords with today's hardware. You can generate millions of hashes within seconds. Moreover there are multiple other security issues about md5.
@games647 good point.
I see one method that can satisfy everyone. Its simple and "easy" to use.
Add possibility to enable / disable password salt in config a line like
disable_pass_salt: false
and of course an warning like
This may cause heavily security issues and decrease performance, use only if you know what are you doing.
I'm sorry for my english, i'm not native speaker.
@gavrilyuc Please explain why you can't switch?
@ljacqu Can we close this?
No
What we have to do about it?
Settings need to be changed if deprecated hash is used
Hi @sgdc3, this is now implemented. If you have time to look it over, please do so, otherwise feel free to close. ;) Thanks
Looks good, thank you ;)
Most helpful comment
Update to bcrypt, scrypt, or Argon2