Welcome!

Join our community of MMO enthusiasts and game developers! By registering, you'll gain access to discussions on the latest developments in MMO server files and collaborate with like-minded individuals. Join us today and unlock the potential of MMO server development!

Join Today!

Project HTML5 Habbo

Status
Not open for further replies.
Junior Spellweaver
Joined
Dec 15, 2015
Messages
139
Reaction score
35
Uhh... what? Securely storing sensitive data is literally the first thing you should ever code support for in the beginning of any project.

You're completely happy to store passwords in plaintext? Christ.
It's better to make it a habit, than just forgetting it should you ever get a job as a developer
Thanks for the advice, I've added a MD5 hash for the passwords.


It doesn't drop performance or anything but using a correct naming convention makes your code cleaner and in some way more professional.
PHP:
public function Execute() {

Function names should either be camelCase or under_score, so like:

PHP:
public function execute() {

And for example this function:

PHP:
public function GenerateKey($userid) {

Would be either

PHP:
public function generateKey($userid) {

Or

PHP:
public function generate_key($userid) {

And variables start with a lowercase. So

PHP:
$Config = [];

Would be

PHP:
$config = [];
Will keep this in my mind and edit my current code, thanks.

Yeah you're 13. What should've happend in your life already? Hash passwords or stop developing, thats it. LOL.
Must be an early April fools joke.
Alright, no need for sarcasm over here buddy.


So this thread is almost 5 months old and still no screenshots? Or did I miss something?
I have restarted the project just a few days ago.
 
Joined
Jun 23, 2010
Messages
2,318
Reaction score
2,195
It doesn't drop performance or anything but using a correct naming convention makes your code cleaner and in some way more professional.

To clear out a few things. As long as he sticks with his current style, it's fine to me. It would, however, be another story when he does things diffrently each time. For php it's common to use PSR-1, I suggest you look that one up.



Thanks for the advice, I've added a MD5 hash for the passwords..

It's better, but I suggest something like SHA2, as MD5 is kinda outdated.
 
Initiate Mage
Joined
Jul 13, 2015
Messages
71
Reaction score
31
Thanks, using "sha256" now.
You would use the password_hash instead (without providing your own salt)
Code:
$hash = password_hash($password, PASSWORD_DEFAULT);

The "hello" string results in:
Sha256: 2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824
password_hash: $2y$10$lmrZdH2gbGsU2DdNmKv...zGil392M6lGQ8F0fV12XVAxDOhuVtVK

For this instance, I wouldn't recommend the use of any member of the SHA family, be it SHA1, SHA256, or even SHA512 for password hashing. The reason is that all of these hashes are fast hashes. When an attacker gets access to your database of password hashes and he also has a copy of your salt, which he presumably will considering that your server was compromised, then your users’ passwords are in danger. With a fast hash, the attacker can compute billions of hashes per second in an offline attack.
 
Joined
Jun 8, 2007
Messages
1,985
Reaction score
490
There's no difference regarding dictionary attacks between MD5 and SHA256 or anything else if you're not using an unpredictable salt.... Anyone with a dictionary of MD5 passwords can replicate that same dictionary into SHA1 or SHA256 or SHA512 or anything else. Secondly, Password hashes should take seconds to complete- SECONDs! not Milliseconds- fast speeds are not the objective here if you are trying to avoid dictionary attacks. You ideally want a supercomputer to take time (250ms?) to process your password. That makes dictionary attacks inconvenient, but not impossible.

As for constructing the salt, use a chunk of the password or something like that to create it. The goal here is to never allow the password to be converted back into plain-text assuming the attacker already has your database and your entire server- but does not yet have the plain-text version of passwords. Oh, and you also must be able to replicate the hashed password in the event of a successful login attempt. It's your responsibility to protect your users, nobody gives a duck if nothing bad has ever happened before. You shouldn't risk feeling guilty for releasing all of your user's passwords if something

TL;DR.
It's incredibly irresponsible to use the excuse "Nothing bad has ever happened to me before" in computer science.
 
Last edited:
Developer
Developer
Joined
Dec 11, 2010
Messages
2,955
Reaction score
2,685
Thread closed, if you wish to start the development then send me or one of the other mods a message and I'll reopen it.

Or you could just report the thread to have it reopened. :):
 
Status
Not open for further replies.
Back
Top