Upgrade Your Password Security

[B4RC0D3 963]

M2 Download Center

This is the hidden content, please

• Sign In
• or
• Sign Up

( Internal )

Hello togehter,

today i want to share a small, but in my opinion, usefull security upgrade for your player password-hashes.
The current default hash, which is used by the most of you (some exeptions might be out there) is the MD5
Hash. This hash might be not the best choice for hashing passwords in this modern days. This is why i thought
about something to change there. And my solution for this is

This is the hidden content, please

• Sign In
• or
• Sign Up

. This Method had won the Password Hashing Competition
and this is why i had choosen this over bcrypt or scrypt.

This tutorial isn't a 100% beginner firendly guide! Just follow my instructions if you 
got a little bit of c++ knowledge and know how to work with the source!

Create the libargon2

Spoiler

 

1. Download the Git-Repo as ZIP File from

This is the hidden content, please

• Sign In
• or
• Sign Up

and extract it.
2. Create a folder by your libgame folder and name it libargon2
3. Now copy include, src, Makefile and libargon2.pc.in into the new created folder libargon2.

Now your folder should look like this: 

Spoiler

4. Now upload this libargon2 to your compile server and get into the folder.
5. Enter the command: "gmake all" and wait for it to finish.
6. Move to your game source and open the Makefile.
7. Search for the MAINCPP = main.cpp part inner the Makefile and add the code below above this line
NOTE: You might need to edit the Path to your libargon2!

# Argon2
INCDIR += -I../../libargon2/include
LIBDIR += -L../../libargon2
LIBS += ../../libargon2/libargon2.a

 Now it should look like this: 
 

Spoiler

Your done for the libargon2!

 

Change the hash inner the game-core source (DEFAULT PASSWORD() MYSQL FUNC TUTORIAL)
 

Spoiler

 

1. Open the db.cpp and add on the top:

#include "../../libargon2/include/argon2.h"

2. Search for:

char szEncrytPassword[
char szPassword[

and replace it with

char szEncrytPassword[EArgon2::HASH_LENGHT * 2 + 1] = {0, };
char szPassword[EArgon2::HASH_LENGHT * 2 + 1] = {0, };

3. Search for:

"SELECT PASSWORD('%s'),password,securitycode,social_id,id,status,availDt - NOW() > 0,"

4. Remove the PASSWORD( ... ) Part and make it look like:

"SELECT '%s',password,securitycode,social_id,id,status,availDt - NOW() > 0,"

5. Now search a bit below for szLogin and add before Argon2PasswordHash(pinfo->passwd).c_str(),
This should look like this:

Spoiler

6. Search for AccountDB::AccountDB() : and add above this pice of code:

std::string DBManager::Argon2PasswordHash(const char* c_pszPassword)
{
	std::string returnStr = "";

	uint8_t hash[EArgon2::HASH_LENGHT];
	uint8_t salt[] = "MYSALTISCOOL";
	uint32_t saltlen = strlen((char*)salt);

	uint8_t* pwd = (uint8_t*)strdup(c_pszPassword);
	uint32_t pwdlen = strlen((char*)pwd);

	argon2id_hash_raw(EArgon2::TIME_COST, EArgon2::MEMORY_COST, EArgon2::PARALLELISM, pwd, pwdlen, salt, saltlen, hash, EArgon2::HASH_LENGHT);
	free(pwd);

	char s_buffer[EArgon2::HASH_LENGHT * 2 + 1];
	memset(s_buffer, 0x00, sizeof(s_buffer));
	for (uint32_t i = 0; i < EArgon2::HASH_LENGHT; ++i) {
		sprintf(s_buffer + (i * 2), "%02x", hash[i]);
	}

	returnStr = s_buffer;
	return returnStr;
}

7. Now open the DB.h file and add above typedef struct SUseTime this piece of code:

enum EArgon2
{
	HASH_LENGHT = 64,
	TIME_COST = 2,
	MEMORY_COST = 1 << 16,
	PARALLELISM = 1
};

8. Now search for std::vector<TUseTime>            m_vec_kUseTime; and add below:

public:
		std::string	Argon2PasswordHash(const char* c_pszPassword);

9. Open up the input_auth.cpp and search again for:

"SELECT PASSWORD('%s'),password,securitycode,social_id,id,status,availDt - NOW() > 0,"

10. Change it to:

"SELECT '%s',password,securitycode,social_id,id,status,availDt - NOW() > 0,"

11. Look a bit below and change:

szPasswd, szLogin);

//CHANGE TO

DBManager::Instance().Argon2PasswordHash(szPasswd).c_str(), szLogin);

 

 

 

For now you just need to edit the account.account table and set the size for the password to 128 (Why 128? Db.h EArgon2::HASH_LENGTH = 64. 64 * 2 = 128)
And you need to replace your hashes with the argon2 once. For this follow the link to the generation: https://argon2.online
Example config for the tutorial setup: 



Have fun

Edited August 25, 2022 by Metin2 Dev
Core X - External 2 Internal

[hachiwari 136]

Nice! 

btw. did you check or test the performance between old and new encryption?

[Karbust 4715]

And is it compatible with PHP?

 

On MySQL8 the PASSWORD function is already deprecated. Why add a new lib when you can have SHA256 or SHA512 with salt (both hashes available on MySQL and cryptopp, which is already necessary)?

[B4RC0D3 963]

1 hour ago, hachiwari said:

Nice! 

btw. did you check or test the performance between old and new encryption?

 No i didn't tested the Performance difference.

1 hour ago, Karbust said:

And is it compatible with PHP?

 

On MySQL8 the PASSWORD function is already deprecated. Why add a new lib when you can have SHA256 or SHA512 with salt (both hashes available on MySQL and cryptopp, which is already necessary)?

Because, simplified , you can change so many parts on their input that the Output will be different. Even if you use the same password and salt the hash will be different in many ways. Test it with the online generator. If you just change the memory or the iterations ... You will get different outputs. So as an attacker i need all of this informations and not just to know the hash algorithm and can search for some rainbow tables and maybe find some Data. Even generated keys, which are stored on the server can be loaded by the algorithm to enhance the security of your system. So its hard to get rainbow tables or otherwise forced Data out of a argon2 Hash.

 

SHA is good, that not the point here. But Argon2 can be better in a easier way of use.

 

(OFC it is my personal way of thinking, so its free to everyone if they want to use it or not)

 

€dit: Yes since PHP 7.2 Argon2 is useable as algorithm

Edited May 26, 2020 by B4RC0D3

[Alerin 441]

3 hours ago, Karbust said:

And is it compatible with PHP?

 

On MySQL8 the PASSWORD function is already deprecated. Why add a new lib when you can have SHA256 or SHA512 with salt (both hashes available on MySQL

and cryptopp, which is already necessary)?

 

password_hash https://www.php.net/manual/en/function.password-hash.php

example: 

password_hash('test', PASSWORD_ARGON2I)

 

to log in you need to do selecto on mysql with the email name. Download the password and compare with the function
example
SELECT `password` FROM `account` WHERE `login` = test

https://www.php.net/manual/en/function.password-verify.php

if(password_verify($_POST['password'], $row['password']){
return true;
}else{
return false;
}

 

@TOPIC

Nice idea, I was thinking recently whether to publish a similar solution.

 

  

3 hours ago, hachiwari said:

Nice! 

btw. did you check or test the performance between old and new encryption?

The performance is poorer, the longer the hash counts, the harder it is to break it. Imagine a computer that does 1 million md5 per sec and 1k argon2 per sec. Even if the calculation of it is longer, it does not affect the performance of the game. The user will not feel the difference when logging in 0.01sec for 0.1 sec

Edited May 27, 2020 by Alerin

[R3flex 2]

 

Up, followed the tutorial, everything worked as intended.

Thanks for sharing!