Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- olink [11:37 AM]
- what are you doing to the login code now
- olink [11:37 AM]
- @nicatrontg:
- nicatrontg [11:37 AM]
- moved the entire system to bcrypt
- nicatrontg [11:38 AM]
- and added a migration system to move existing passwords to bcrypt
- nicatrontg [11:38 AM]
- it works, but once someone logs in
- nicatrontg [11:38 AM]
- it’s game over
- nicatrontg [11:38 AM]
- their hash is a bcrypt hash now
- nicatrontg [11:38 AM]
- and bcrypt hashes aren’t checked using just equivalence
- olink [11:38 AM]
- how are you migrating salted passwords to something else?
- nicatrontg [11:39 AM]
- we don’t salt passwords
- nicatrontg [11:39 AM]
- :keepo:
- nicatrontg [11:39 AM]
- at first login, we use the old code
- olink [11:39 AM]
- we do something
- olink [11:39 AM]
- Kappa
- nicatrontg [11:39 AM]
- verify that your password matches
- nicatrontg [11:39 AM]
- and then move it to bcrypt
- olink [11:39 AM]
- so you added a field that checks if its been igrated
- olink [11:39 AM]
- i reject
- olink [11:39 AM]
- bad solution
- nicatrontg [11:39 AM]
- no, didn't
- olink [11:40 AM]
- so you check against a normal hash first, everytime?
- nicatrontg [11:40 AM]
- bcrypt hashes are $2a$workfactor$salt.hashedpass
- nicatrontg [11:40 AM]
- if it doesn’t start with $2a it isn’t a bcrypt hash
- olink [11:40 AM]
- also uhmmm
- olink [11:40 AM]
- theres a reason we added crypto in the config
- olink [11:40 AM]
- so that its optional, no?
- nicatrontg [11:41 AM]
- the only reason why it’s in the config is to support xp
- olink [11:41 AM]
- not really
- nicatrontg [11:41 AM]
- aka lower crypto versions than sha256
- olink [11:41 AM]
- im pretty sure it supports md5
- nicatrontg [11:41 AM]
- md5 is shit
- olink [11:41 AM]
- yes, but we offer it as an option
- olink [11:41 AM]
- i dont agree with forcing a new crypto on people
- nicatrontg [11:41 AM]
- that was 2011
- olink [11:41 AM]
- make it optional
- nicatrontg [11:41 AM]
- no
- olink [11:41 AM]
- then you have a :-1:
- nicatrontg [11:41 AM]
- lol, I can prove you wrong scientifically
- olink [11:42 AM]
- because you dont just go change someones database
- olink [11:42 AM]
- if they dont want it
- olink [11:42 AM]
- if people want bcrypt they will switch to it
- olink [11:42 AM]
- if they dont care, which most dont, then its just a pita
- nicatrontg [11:42 AM]
- no, it’s trivial and automatic
- olink [11:42 AM]
- to you yse
- olink [11:43 AM]
- but to someone running a server
- olink [11:43 AM]
- they could care less
- olink [11:43 AM]
- also good job breaking bamboo!
- nicatrontg [11:43 AM]
- I broke bamboo?
- olink [11:44 AM]
- if you change workfactor
- olink [11:45 AM]
- wont it fail to find previous passwords
- olink [11:45 AM]
- based on older work factors?
- olink [11:45 AM]
- im not a bcrypt export
- nicatrontg [11:45 AM]
- Nope, the work factor is stored in the password
- olink [11:45 AM]
- expert even
- nicatrontg [11:45 AM]
- If you run verify, it uses the stored work factor
- nicatrontg [11:45 AM]
- which is why people call it future proof
- nicatrontg [11:45 AM]
- you can upgrade the workfactor silently, and new users get more security for free
- olink [11:45 AM]
- And the BCrypt lib doesnt support parsing a password
- olink [11:45 AM]
- thats rich for future proof
- olink [11:46 AM]
- >implement your own parsing of passwords
- nicatrontg [11:46 AM]
- what does “parsing a password” mean?
- olink [11:46 AM]
- :keepo:
- olink [11:46 AM]
- https://github.com/NyxStudios/TShock/commit/08fae75c0ccab2fab1e1b3b47c421c5cd27dacfe
- olink [11:46 AM]
- If someone is going to make a lib for doing bcrypto work, they should probably also provide the tools for working with an existing password
- nicatrontg [11:46 AM]
- that’s just my check to get the work factor
- olink [11:46 AM]
- yes the lib should do that
- olink [11:46 AM]
- hence why I said what I said
- olink [11:48 AM]
- did you verify that you didnt potentially break the login hooks?
- olink [11:48 AM]
- one of which passes password
- olink [11:51 AM]
- > This also changes User.Password to private set to prevent further accidents.
- olink [11:51 AM]
- > public string Password { get; internal set; }
- olink [11:51 AM]
- :keepo:
- olink [11:53 AM]
- also any reason you didnt obsolete or outright remove the old hashing stuff?
- nicatrontg [11:53 AM]
- please, wait for PR lol
- nicatrontg [11:53 AM]
- I’m explaining it all
- nicatrontg [11:53 AM]
- it’s a lot
- nicatrontg [11:53 AM]
- well, ask here*
- nicatrontg [11:53 AM]
- I’ll answer in PR
- olink [11:53 AM]
- im trying to save you time by having you address the problems before you pr
- nicatrontg [11:54 AM]
- the old hashing stuff is obsoleted, in Utils
- nicatrontg [11:54 AM]
- unfortunately, we need to keep it around somewhere
- nicatrontg [11:54 AM]
- so that we can still convert the old passwords
- olink [11:54 AM]
- if its still being used dont obsolete it I guess
- olink [11:54 AM]
- because this code will never be removable
- nicatrontg [11:54 AM]
- well, again, I obsolete the public code
- bccccc [11:54 AM]
- why would you want to parse a password?
- nicatrontg [11:54 AM]
- the private internal code is not obsoleted
- olink [11:55 AM]
- because apparently the password contains the information about the crypto algo
- olink [11:55 AM]
- because "future proof"
- bccccc [11:55 AM]
- suddenly we storing metadata in passwords
- nicatrontg [11:55 AM]
- @bccccc: please, learn 2 bcrypt
- olink [11:55 AM]
- bcrypt apparently does
- olink [11:55 AM]
- also, as iw as saying
- olink [11:55 AM]
- we cant remove that hashing code anyways
- olink [11:55 AM]
- because there will be one user donw the road
- olink [11:55 AM]
- in 2 years
- olink [11:55 AM]
- who will log into an account
- nicatrontg [11:55 AM]
- yes, exactly
- olink [11:55 AM]
- and itll still be sha256
- nicatrontg [11:56 AM]
- but the public code doesn’t need to exist
- olink [11:56 AM]
- hence why i think its stupid to half switch them
- nicatrontg [11:56 AM]
- (in Utils.cs, there is public code, that should be removed)
- olink [11:57 AM]
- whelp theres one failure
- olink [11:57 AM]
- should probably commit the dll
- nicatrontg [11:57 AM]
- oops
- nicatrontg [11:57 AM]
- bins are gitignored
- nicatrontg [11:57 AM]
- let me just go add that
- nicatrontg [11:57 AM]
- lol
- olink [11:58 AM]
- while you are there
- olink [11:58 AM]
- can you move all those folders into one References Folder, and move Newtonsoft up there as well
- olink [11:58 AM]
- also
- olink [11:58 AM]
- rip bamboo
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement