Security & hashing etc

Need help with SmartFoxServer? You didn't find an answer in our documentation? Please, post your questions here!

Moderators: Lapo, Bax

JohnnyD
Posts: 128
Joined: 29 Oct 2007, 22:13

Security & hashing etc

Postby JohnnyD » 12 Sep 2008, 07:09

SFS supports functionality for secure login by sending salted MD5 hashes of passwords to the server.

But this relies on the server storing the password in plain text. Best practices would say the server should store a salted hash, which breaks this. Can you suggest an approach if the server stores hashed passwords?
User avatar
BigFIsh
Posts: 1698
Joined: 25 Feb 2008, 19:26
Location: New Zealand

Postby BigFIsh » 12 Sep 2008, 20:01

Step1: Registration - upon registration, the application encrypts the password and then sends it to the server for database storage purpose. Note, it would be ideal if you did this via https since you cannot add random letters to the password.

Step2: Login - when you login in, have the application to encrypt the password first, i.e. var mypass = m5_encrypt(password.text), then encrypt it again along with the random key sent from the server, i.e. var myM5 = m5_encrypt(randomKeyFromServer + mypass)

Step3: Server side - upon receiving the password by using evt["pass"], store this locally. Retrieve the "hashed" password from the database, along with the random key sent to the client (var key = _server.getSecretKey(chan)) where chan is the channel of that specific user (evt["chan"]). Encrypt these two together (dbase password + key), i.e. m5_encrypt(hashedPasswordFromDatabase + key)

and then compare it with the password received from evt["pass"]

Hope this helps
Smartfox's forum is my daily newspaper.

Return to “SmartFoxServer 1.x Discussions and Help”

Who is online

Users browsing this forum: No registered users and 32 guests