| Welcome, Guest |
You have to register before you can post on our site.
|
| Online Users |
There are currently 338 online users.
» 0 Member(s) | 336 Guest(s)
Bing, Google
|
| Latest Threads |
Command does not work in-...
Forum: Pawn Scripting
Last Post: PANZEHIR_
2024-11-23, 06:36 PM
» Replies: 0
» Views: 48
|
White Screen
Forum: Support
Last Post: Phat202146_real
2024-11-21, 02:50 PM
» Replies: 0
» Views: 50
|
I get error 021 using y_h...
Forum: Pawn Scripting
Last Post: daniscript18
2024-11-18, 11:34 PM
» Replies: 0
» Views: 69
|
Il reste des français sur...
Forum: French/Fran?ais
Last Post: tysanio
2024-11-18, 05:39 AM
» Replies: 2
» Views: 487
|
Object creation issues
Forum: Programming
Last Post: K1271
2024-11-15, 11:51 PM
» Replies: 0
» Views: 61
|
Is the SAMP Hosting the s...
Forum: General Discussions
Last Post: OperaGX
2024-11-14, 09:33 PM
» Replies: 0
» Views: 86
|
Run time error 19: "File ...
Forum: Pawn Scripting
Last Post: Rexey
2024-11-14, 03:50 AM
» Replies: 0
» Views: 72
|
How to Compile Your Gamem...
Forum: Tutorials
Last Post: thelante
2024-11-13, 08:50 AM
» Replies: 3
» Views: 493
|
Modeller wanted
Forum: Development Updates
Last Post: acc.gangbeni
2024-11-11, 05:10 PM
» Replies: 9
» Views: 16,556
|
SA:MP forum offline
Forum: Portuguese/Portugu?s
Last Post: weslley_script
2024-11-09, 05:27 PM
» Replies: 7
» Views: 9,959
|
|
|
| DIALOG_STYLE_PASSWORD_SECURE |
|
Posted by: Sasino97 - 2019-04-30, 08:03 AM - Forum: Questions and Suggestions
- Replies (4)
|
 |
DIALOG_STYLE_PASSWORD_SECURE
I suggest the (client/server)?implementation?of this new dialog style, which is basically DIALOG_STYLE_PASSWORD, but returning an already bcrypt-hashed string in the inputtext argument: the server has access to the unhashed password, but not in the script.
Yes, the server scripter could still access the plain text password by using plugins that intercept the data sent between the server and the client, but the goal is not to prevent him to do so, but to promote the hashing of passwords out of the box.
The client-side dialog interface should show a "trusted"?icon (or anything similar), with a tooltip appearing on mouse hover, telling the user that his password is secure.
![[Image: image.png]](https://i.ibb.co/sRBM5dC/image.png)
|
|
|
|
| A Proper Way to Store Passwords |
|
Posted by: Sasino97 - 2019-04-30, 07:50 AM - Forum: Tutorials
- Replies (11)
|
|
Passwords
A Proper Way to Store Passwords
By Sasinosoft
This is an edited version of my SA-MP forums?article about storing passwords the most secure way.
Introduction
The first thing we must be aware of when programming anything that will ask the user to enter a password, is that the user is giving us their?trust. It is our duty to keep their password as safe as possible, so that in case of attack to our servers, the attacker will not be able to read their password.?
You might think,?in the case of San Andreas Multiplayer, that?"it is just a game", so the security of the game accounts is not to be taken?seriously. However, a poll showed that?59%?of people use the same password everywhere or almost everywhere.?[source]?
If the attacker gets access to your game data base, he will most likely obtain all your users' nicknames and passwords, and if they are not properly hashed, then congratulations:?you have just made his work easier. After getting this information, the attacker will proceed to check for each user if he is registered on the main websites, such as Google, Microsoft, mail providers, using the passwords and user names he just stole, and this creates high security risks, including the possibility of stealing payment information.
Here you?are a few tips?to make his work harder.
Do not?store passwords in plain text
It is believed that at least?30% of the websites store the passwords in plain text.?[source]?This is really a shame, and it must come to an end. If any website emails your password back in plain text, then it is likely storing your password as such, and compromising your security in all the websites that you used the same password.?
You must never do so. In the case of a San Andreas Multiplayer server, as soon as you receive the user password in the?inputtext?parameter of?OnDialogResponse, you must one-way hash it. Fortunately, the developers of SA-MP added the?SHA256_PassHash?function in version 0.3.7 R2-1, so there is no more excuse for those who don't like to use external plugins.?[great tutorial]
Said that, I also add that there are better algorithms than SHA-256, such as?bcrypt. On the Burgershot?forums you can find at least two?plugins for bcrypt [SyS's SampBcrypt]?[Bork's samp-crypto].
Do not simply hash the password and store it
Why? Just hashing the password and storing it,?adds very little security; most users' passwords are simple words or numbers which can be found in dictionaries. If this is the case, the attacker will easily detect the password of the user, simply by searching the hash in?rainbow tables; these are per-algorithm tables which already contain the hashes of the most common passwords and more, and they are publicly available on the internet.?[example]
To avoid this problem, and force the attacker to use brute-force attacks, thus wasting his time, money and energy, thus reducing his intentions to get the passwords,?you must?put salt on them.
The salt is a value that is concatenated to the password before hashing it, and there are different ways to do this, and different opinions about how this should be done.?[tutorial for SA-MP - Whirlpool]?The salt is unique for each user, and it is not intended to be?secret: its value is stored in plain text into the database at the moment of registration, and it is read by your program when the user attempts to log in.
Do not use usernames as salt
If your SA-MP Server does this, and another website that your user is registered on with the same username and the same password does the same, both databases will contain the same password hash for the user. If the attacker, after getting a copy of your database and that of the other website, notices this coincidence, then he will most likely focus on this particular user.?
Also, if you implemented a system to let the user change his password, you would?then going to hash it with the same salt as before:?you usually want to avoid this.
The best practice is to generate a?random string?the first time the user registers, and to store it into the database in a separate column. When the user wants to change his password, your program will generate a new random string, and update the value in the database.
Avoid writing your own hashing algorithm
While it may seem a good idea to write your own algorithm so that there are no pre-made attacks against it, it's not. Real motivated hackers will simply analyze it and then they will?crack it. Do not do this,?unless you work for the NSA and your algorithm has been tested for years. Do not do this even if you have studied cryptography and security. This is because, even if you think that your algorithm is strong enough, it has not been tested enough against all the possible kinds of attack. Do not risk, and if you have written one, just keep it as your personal project.
Use bcrypt
In this post I mentioned different hashing algorithms whose implementations are also available for SA-MP Servers. I must also say that the?best?option you have?is to use bcrypt [SyS's SampBcrypt]?[Bork's samp-crypto].
The primary advantage is that bcrypt, unlike the other algorithms mentioned here, aims at being slow to execute, especially on GPUs. When we are computing our hash during user registration or login, we don't care if it takes 1 second or more, because most likely the user will not notice it, instead we really care about the attacker being as slow as possible at brute/dictionary attacking our hashed password. SHA and Whirlpool are aimed at being as fast as possible to execute, and while this means that the user's password is checked in the blink of an eye, it also means that the attacker is able to crack the password in fewer time (with the appropriate equipment).
By using bcrypt, we make almost impossible for an attacker to crack the password, definitely not worth it for him.
Among the?advantages, I have to mention that?bcrypt?will generate the salt for you and put it in the same string as the hash, so you will just need one data base?column.
We hope that the open.mp team will implement native?support for bcrypt in the API.
Bonus tips
- Also?put pepper. Pepper is another value that is added to the algorithm before the final hash, but instead of being a different value for each user, it is a single constant string which is used for every hash, and it is secretly hardcoded in your code. Of course, after your first user is registered, you must never change it again.
- Force?the user to use a password of a certain minimum length, and made of multiple words.
- In your register dialog,?tell the user?not to use the same password as other websites or SA-MP Servers, and not to tell his password to anyone.
- Ask?the user to input his password twice during registration and password changing procedure.
- Kick?the user and prevent him from logging in again for a certain time if he fails to log in for a certain number of times. This makes unpractical using direct brute force attacks to your server.
- Implement?a system to change the password, and encourage your users to change it when they feel it is compromised.
|
|
|
|
| Pondran esto? |
|
Posted by: air - 2019-04-29, 04:00 PM - Forum: Discusi?n GTA SA Multijugador
- Replies (3)
|
 |
Pondran un parche de seguridad en el open.mp? lo que no tiene samp y se a pedido a gritos..?
Se trata de un parche de seguridad para prevenir la mayor cantidad posible de?los ataques a los servidores.
que piensan en hacer con respecto a el tema?
|
|
|
|
SAMPLauncherNET client for GTA:SA to play online |
|
Posted by: [SF]kAn3 - 2019-04-29, 02:02 PM - Forum: Videos and Screenshots
- Replies (7)
|
 |
Hello folks. I like this client and hope it will get more famous amongst SA-MP players and because so I've recorded a simple and short video about this client.
I know some players who play SA-MP since long time, and when we spoke about it they didn't really know what's all about, so here we are!
Thanks for your hard working, cheers!
|
|
|
|
| Mod name |
|
Posted by: Manyula - 2019-04-29, 01:20 PM - Forum: Questions and Suggestions
- Replies (8)
|
|
Some time ago I wondered how the name "open multiplayer" came about. I mean, of course we're talking about a multiplayer mod which will eventually be?open sourced. But in terms of SEO, this name is not favorable to attracting new people. I understand?that the initial intention was to cater to the existing SA:MP playerbase - but for anyone out of the loop, it's hard to find out about this modification. Have you thought about better alternative?names for the project in terms of SEO?
Here are a couple of suggestions:
- San Andreas Online
- Open San Andreas
- Open San Andreas Multiplayer
|
|
|
|
|
![[Image: http:]](https://i0.wp.com/wptavern.com/wp-content/uploads/2016/03/passwords.jpg?ssl=1http://http://)
