Using a Hash with Passwords - ComputerCraft Forums (archive)

CastleMan2000 #1

288 posts

Location The trashcan where all Undertale trash is

Posted 01 February 2013 - 04:19 AM

Using a hash function such as sha256, how would I use it correctly to secure my password? I have a password program, but the password is stored in plaintext and I would like to use a hash of it instead. Would I hash my password, use the resulting hash as the password variable, and hash the inputted password to see if it matches?

PhilHibbs #2

96 posts

Posted 01 February 2013 - 04:27 AM

When the password is set, hash it and store the hashed value instead of the plaintext. When the password is entered, hash it and compare the hash result against the stored hash value.

DiamondOwner #3

DiamondOwner's profile picture

29 posts

Location Where am I? My Minecraft GPS tells me I'm in Minecraft.

Posted 01 February 2013 - 09:51 AM

how do you hash a value/string?

NeverCast #4

392 posts

Location Christchurch, New Zealand

Posted 01 February 2013 - 09:52 AM

Using a hash function like SHA-1 or SHA-256

Use the search feature on the forum, you'll find one :)/>

GravityScore #5

GravityScore's profile picture

799 posts

Location Land of Meh

Posted 01 February 2013 - 01:59 PM

Find an SHA-256 hash here.

To do this, as soon as you've read the password, hash it. Then deal with it like a normal password - save it to a file, load another from a file, compare it. It's just the same thing, but the password is different to what the user has typed. When you create an account, as soon as you've read the password, hash it, then store it or whatever. Deal with it exactly like a normal password.

PixelToast #6

2217 posts

Location 3232235883

Posted 01 February 2013 - 03:20 PM

hashing is used so if someone gains access to a server they can steal all the passwords but have to brute force them before they are usable
the same applies for CC, if someone terminates it and steals your passsword file.
SHA and md5 are waay overkill for cc imo

(1337th post)

DiamondOwner #7

DiamondOwner's profile picture

29 posts

Location Where am I? My Minecraft GPS tells me I'm in Minecraft.

Posted 01 February 2013 - 04:44 PM

thx for the link and i'm using it for my own small system of programs bundled up into a computer. can the code (from a program) still be executed when it's hashed or do i have to undo the hash 1st?

PhilHibbs #8

96 posts

Posted 01 February 2013 - 08:53 PM

You can't hash a program, hashing cannot be undone other than by time-consuming guesswork.

DiamondOwner #9

DiamondOwner's profile picture

29 posts

Location Where am I? My Minecraft GPS tells me I'm in Minecraft.

Posted 02 February 2013 - 08:23 AM

that kind of sucks. i guess i'll use encryption instead.

PhilHibbs #10

96 posts

Posted 11 February 2013 - 04:14 AM

DiamondOwner, on 02 February 2013 - 08:23 AM said:
that kind of sucks. i guess i'll use encryption instead.

The problem is that you have to decrypt the code in order to run it. So you have to give the user the means to decrypt your code. You can "obfuscate" it by mangling the variable names and removing white space but that can be solved - the Minecraft code is heavily obfuscated in order to prevent cheating, yet modders have cracked it and made mods. Therefore ComputerCraft only exists because what you want is impossible. So no it doesn't suck!

raineth #11

15 posts

Location Pennsylvania, USA

Posted 11 February 2013 - 06:30 AM

CastleMan2000, on 01 February 2013 - 04:19 AM said:
Using a hash function such as sha256, how would I use it correctly to secure my password? I have a password program, but the password is stored in plaintext and I would like to use a hash of it instead. Would I hash my password, use the resulting hash as the password variable, and hash the inputted password to see if it matches?

It sounds like you've got it exactly right. For extra security, you could also use a salt. In cryptography, a salt is an extra piece of information hashed into the password but also stored alongside it – unhashed. This has several advantages, but the only one that would be very useful inside Minecraft is making rainbow tables useless. A rainbow table is a huge list of precomputed hashes that can make it trivial to determine the hash's input.

Say, for example, that your password is "cheese". SHA256("cheese") = 873ac9ffea4dd04fa719e8920cd6938f0c23cd678af330939cff53c3d2855f34. Now, suppose someone manages to get access to your hashed password. Even though it's practically impossible to go from the hash back to the word "cheese" computationally, if you do a Google search for the hash you'll find several sites telling you that SHA256("cheese") will get you same hash (because "cheese" is a common word and several people have precomputed hashes for it.)

If you added a salt to the previous example – let's say your salt is a random number generated right before hashing (42 in this example) – you would end up hashing salt + password and storing salt + hash. SHA256("42,cheese") = 3ad58e630e3e7b33985c3f08e5d07347b52c28d29a658b0bef576c8e8baab18a, so in your code/password database you would store 42,3ad58e630e3e7b33985c3f08e5d07347b52c28d29a658b0bef576c8e8baab18a. When validating the password, you would split apart the salt (42) and hash (3ad58…), compute SHA256("42,[password to check]") and see whether it matches the hash (3ad58…).

tesla1889 #12

404 posts

Location St. Petersburg

Posted 11 February 2013 - 06:41 AM

PixelToast, on 01 February 2013 - 03:20 PM said:
–snip–
SHA and md5 are waay overkill for cc imo
–snip–

sha-1 only takes about 3-4 hours to crack

ive cracked people's passwords for them when they forgot using bruteforce, and it really doesnt take that long

md5 takes less time than that