open.mp forum   ›   open.mp   ›   Questions and Suggestions   ›   [Suggestion] DIALOG_STYLE_PASSWORD_SECURE

  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
[Suggestion] DIALOG_STYLE_PASSWORD_SECURE
Sasino97
Software Developer
Joined: Apr 2019
Posts: 108

Reputation: 7

Location: Tampa, FL
#1
2019-04-30, 08:03 AM (This post was last modified: 2019-04-30, 08:14 AM by Sasino97.)
DIALOG_STYLE_PASSWORD_SECURE

I suggest the (client/server)?implementation?of this new dialog style, which is basically DIALOG_STYLE_PASSWORD, but returning an already bcrypt-hashed string in the inputtext argument: the server has access to the unhashed password, but not in the script.

Yes, the server scripter could still access the plain text password by using plugins that intercept the data sent between the server and the client, but the goal is not to prevent him to do so, but to promote the hashing of passwords out of the box.

The client-side dialog interface should show a "trusted"?icon (or anything similar), with a tooltip appearing on mouse hover, telling the user that his password is secure.

[Image: image.png]
  Website
  Reply
BloodMaster
Burgershot Member
Joined: Apr 2019
Posts: 33

Reputation: 2
#2
2019-04-30, 02:27 PM (This post was last modified: 2019-04-30, 02:27 PM by BloodMaster.)
(2019-04-30, 08:03 AM)Sasino97 Wrote: Yes, the server scripter could still access the plain text password by using plugins that intercept the data sent between the server and the client,

If the client already sends a hashed password, then there would be no way to access it.
Good idea, but if it's possible to re-create that icon in the corner, you could fake a secure password and make the players think that they're inputting a safe password.
  Reply
hual
King
Joined: Feb 2019
Posts: 106

Reputation: 7

Location: Bulgaria
#3
2019-05-01, 02:36 PM
This could actually be enforced on the server as well.
  Reply
JustMichael
Forum Manager
*******
Joined: Feb 2019
Posts: 190

Reputation: 17

Location: England
#4
2019-05-01, 03:52 PM
I think he means, that it is encrypted within O-MP before it is passed to the script. Therefore it forces server owners to use already encrypted passwords.

As much as I like this, it would mean that there would have to be a way to pass a salt as well as the password to the gamemode

and also allow some global way to set the pepper.
Remember to always refer to J0sh as `J0sh...`



@ Networks/Servers

San Andreas Gaming Network (Owner/Founder)

San Andreas Gaming (Owner/Founder)

Grand Theft Cop's n Robber's (Owner)

Britannia Roleplay (Owner/Founder) [Retired]

Alpine RP (Owner/Founder)

Aluminium Network (Maintainer) [Disbanded]

AlphaDM (Tech Support) [Disbanded]



# Services

forum.open.mp (Forum Manager) (Formerly Burgershot.gg

open.mp (Member)



~ Languages/Frameworks

Pawn, C, C, C#, Javascript, Typescript, Lua, Python, Go, Rust, PHP, SQL,

Angular, React, Vue, Svelte, Laravel, Rocket
  Website
  Reply
Sasino97
Software Developer
Joined: Apr 2019
Posts: 108

Reputation: 7

Location: Tampa, FL
#5
2019-05-02, 03:23 PM
(2019-05-01, 03:52 PM)JustMichael Wrote: I think he means, that it is encrypted within O-MP before it is passed to the script. Therefore it forces server owners to use already encrypted passwords.

As much as I like this, it would mean that there would have to be a way to pass a salt as well as the password to the gamemode

and also allow some global way to set the pepper.



Well,?there's no salt problem if we use bcrypt, since it stores the digest and the salt in the same string.



(2019-05-01, 02:36 PM)hual Wrote: This could actually be enforced on the server as well.



Yes true, but only if the encryption is made client-side, which is actually a good idea.?



(2019-04-30, 02:27 PM)BloodMaster Wrote:
(2019-04-30, 08:03 AM)Sasino97 Wrote: Yes, the server scripter could still access the plain text password by using plugins that intercept the data sent between the server and the client,



If the client already sends a hashed password, then there would be no way to access it.

Good idea, but if it's possible to re-create that icon in the corner, you could fake a secure password and make the players think that they're inputting a safe password.



In the optic of creating a totally customizable open.mp, yes that's true, but it would be no easy task to reproduce it perfectly.
  Website
  Reply


Forum Jump: