Welcome!

Join our community of MMO enthusiasts and game developers! By registering, you'll gain access to discussions on the latest developments in MMO server files and collaborate with like-minded individuals. Join us today and unlock the potential of MMO server development!

Join Today!

RevCMS Encryptation

D

DinamicUser

Newbie Spellweaver
Joined
Dec 30, 2013
Messages
19
Reaction score
1
Hello!
You can improve security for your users:

Open class.core.php
REPLACE

Code: 
final public function hashed($password)
    {
        return md5($password);
    }

with

Code: 
final public function hashed($password)
    {
        $salt = "choose";
        $salt2 = "choose";
        return sha1($salt.$password.$salt2);
    }

In $salt and $salt2 insert a random word for example:

$salt = "549ut85fneif(%&495u8";
$salt2 = "5y8j4g89jndfsaui080??";

NB: If you can't login because appears the error "Password incorrect", you need to update all password from only md5 encryptation to new encryptation.
 
Last edited:
The Best DDoS Protected Servers
BurakDev

BurakDev

Skilled Illusionist
10 Happy Years
Joined
Mar 26, 2013
Messages
371
Reaction score
280
You can improve it by generating random salt per user.

If you want change existing password hash algorithm, just create a new column "password_v2" and when user login empty the old md5 poop.
 
K

Keiz

Experienced Elementalist
Joined
Nov 11, 2015
Messages
238
Reaction score
89
BurakDev said:
You can improve it by generating random salt per user.

If you want change existing password hash algorithm, just create a new column "password_v2" and when user login empty the old md5 poop.
Click to expand...
Note that this makes 0 sense unless you save the "random" salt somewhere.
Randomly assigning salts every log in-attempt would obviously not work.
Not accusing you, I'm sure you know, just for anyone interested in this option.
 
NoBrain

NoBrain

"(still lacks brains)"
Loyal Member
1000 Posts Got A Reaction 10 Happy Years
Joined
Sep 2, 2011
Messages
2,371
Reaction score
1,361
BurakDev said:
You can improve it by generating random salt per user
Click to expand...

Utterly pointless and creates unnecessary overhead.

Just use the built in PHP (PhP for marit) password functions since they are perfectly suitable. Anything like MD5 or SHA1 has been cracked and is deemed not safe by a lot of developers. Also OP forgot to mention this will break all existing passwords and will not allow the user to login - plus he's not actually hashing the password, all he is doing is adding extra characters to the string that SHA1 is encrypting. Plus, he should be using something like bcrypt. Spell "encryption" correct too pls.

You must be registered to see links
 
T

TheCipher

Initiate Mage
Joined
Jun 13, 2017
Messages
4
Reaction score
0
Ben said:
Moved to tutorials however this is no rocket science.
Click to expand...

Thank you for moving it. I'm gonna make a tutorial on how to "encrypt" with BCRYPT. Because i know no one knows how to google anything.
 
Geo

Geo

Newbie Spellweaver
Joined
May 6, 2016
Messages
16
Reaction score
28
DinamicUser said:
Hello!
You can improve security for your users:

Open class.core.php
REPLACE

Code: 
final public function hashed($password)
    {
        return md5($password);
    }

with

Code: 
final public function hashed($password)
    {
        $salt = "choose";
        $salt2 = "choose";
        return sha1($salt.$password.$salt2);
    }

In $salt and $salt2 insert a random word for example:

$salt = "549ut85fneif(%&495u8";
$salt2 = "5y8j4g89jndfsaui080??";

NB: If you can't login because appears the error "Password incorrect", you need to update all password from only md5 encryptation to new encryptation.
Click to expand...
This barely increases security for users. Both MD5 and SHA1 are deprecated and considered unsafe for use due to practical collision attacks on them.

Further, this is hashing; not encryption. There's a huge difference.

You shouldn't choose your own salt like that unless you know what you're doing, it is generally safer to let the proper system functions generate you one (/dev/urandom on UNIX & CryptGenRandom on Windows).

As mentioned above, you also didn't discuss backward compatibility issues. This would render an already active hotel broken since already existing users wouldn't be able to authenticate.

Use the native PHP functions: password_hash, password_verify, & password_needs_rehash for this. This will allow you to generate passwords with bcrypt which is considered modern and safe (this will also automatically generate you a secure salt, based on what system you are running).

password_needs_rehash can be used to check if the user's database hash is of another algorithm (such as MD5/SHA1), which will allow you to upgrade and store their new password without breaking anything.
 
You must log in or register to reply here.

About Us

RaGEZONE® is a website dedicated to the development of massively multiplayer online role-playing games (MMORPGs).

Online statistics

Members online
258
Guests online
1,365
Total visitors
1,623
Totals may include hidden visitors.

Forum statistics

Threads
428,822
Messages
4,588,807
Members
279,020
Latest member
achira12
Most visitors online was 8830 , on 6 Feb 2024

RaGEZONE Sponsor

    HyperFilter
Back
Top