Password Hashing


#1

Hi,

What options do you have for password hashing? I’m working on a user system and noticed that I couldn’t see much documentation in terms of password hashing.

Thanks.


#2

Mysql has a password encryption.


#3

Well don’t use MD5. Maybe this https://github.com/thibaultcha/lua-argon2.


#4

Doesn’t MySQL only have MD5 and SHA-1 hashing?

If you’re serious about securing user’s passwords look up some of the more secure hashing algorithms that are still cryptographically secure (e.g. SHA-2) and try and find a Lua implementation of it. If you’re not really that bothered about keeping the passwords secure then, you can probably get away with the less secure algorithms that can easily be reversed (MD5 and SHA-1).

Edit: If you would like to read more about how to store passwords then take a gander at this article.


#5

I said mysql hashing because it was the first thing that popped to mind as an easy hash. Wasnt really sure how secure he wanted to get with it.


#6

I wouldn’t use MD5 and SHA-1 due to its insecurities.

The solution I have found is to use SHA2 in my MySQL query until I figure out to implement argon2.


#7

You can use SHA256 too…


#8

Why do you need passwords, anyway? Servers can authenticate players using low-variance identifier sources like Steam, already.

In addition:

local hash = GetPasswordHash('meow')
VerifyPasswordHash('woof', hash) -- false
VerifyPasswordHash('meow', hash) -- true

#9

Don’t use mysql password encryption. The password is still send in plain text to the server.
Best way is to encrypt on the client.

Why ? maybe people don’t have steam but still want an account not based on their IP.


#10

… and then authentication is still silly, modern password hashes wouldn’t allow verification of such hashes, and if done badly you can just authenticate with the same hash anyway. Why do you think most prominent webapps actually don’t hash on clients?

And how much does a Steam account cost? Oh yeah that’s right, nothing.


#11

sha2-256 or sha3-256? there is no such thing as just ‘sha256’…


#12

sha2-256 one of them


#13

Thanks for the response, I’d prefer to use Steam as an authentication method if there was more documentation available


#14

>can make a login system probably using NUI and some database system when that is literally not documented at all
>can’t read the wiki for the one call needed for Steam authentication

… or this is a demand, ‘make more documentation and I’ll use Steam auth even though that’s already documented’


#15

No this isn’t a demand, and I’m not trying to have a go. I scanned the wiki for functions and I’ve clearly missed it, so sorry for not paying enough attention.

I think you could of put your post across in a better manner, but oh well.