[stormeus]

Stormeus' Improved Hashing ( lu_hashing2 )

This module is an improvement and a variant of Liberty Unleashed's lu_hashing module, which ships with the server. This version offers a wider variety of hashing functions which are more secure, while still offering backward-compatibility by allowing the use of the SHA1 and (insecure!!) MD5 algorithms.

Functions
Acceptable for password hashing and storage

• SHA224( szString )
• SHA256( szString )
• SHA384( szString )
• SHA512( szString )
• RIPEMD128( szString )
• RIPEMD160( szString )
• RIPEMD256( szString )
• RIPEMD320( szString )
• WHIRLPOOL( szString )

NOT acceptable for password hashing and storage.

• SHA1( szString )
  
  Algorithmically weak and contains weaknesses that make it relatively easy to crack. This function is only provided for backwards-compatibility. If you are creating a new script, DO NOT USE THIS.
  
  
• MD5( szString )
  
  MD5 has flaws in its algorithm that allows it to be broken relatively easily. This function is only provided for backwards-compatibility. If you are creating a new script, DO NOT USE THIS.
  
  
• base64_encode( szString )
  base64_decode( szString )
  
  base64 is easily encoded and decoded. Storing passwords with base64 is not recommended ever because it is extremely easy to reverse.

Installation
Extract lu_hashing2.dll/so to your Modules folder. Place this line of code somewhere in onScriptLoad:
     LoadModule( "lu_hashing2" );

Download
Windows binary [.dll]
Linux binary [.so]
Source code

Test script [.nut]

Screenshot

[Juppi]

Very nice work

I would recommend people to replace the default hashing module with this one, no script changes are required since the module is backwards compatible with the old one. (Still, get rid of those MD5'd passwords you all!)

[GuenosNoLife]

Very nice work

I would recommend people to replace the default hashing module with this one, no script changes are required since the module is backwards compatible with the old one. (Still, get rid of those MD5'd passwords you all!)

Okay, thank's Stormeus for this security

[Thijn]

oooh fancy. Nice work

[NC]

MD5 insecure, reallllllllllyyyyy?

[SugarD]

MD5 insecure, reallllllllllyyyyy?

It actually is in comparison to many others. Being that it was the most popular hashing method throughout the world for a very long time, it has become very easy to crack because so many people had focused on reversing it.

[VRocker]

MD5 insecure, reallllllllllyyyyy?

It actually is in comparison to many others. Being that it was the most popular hashing method throughout the world for a very long time, it has become very easy to crack because so many people had focused on reversing it.

Its not really a case of 'people took the time to reverse it' since methods to MD5 are open sourced anyway. The issue with MD5 is it is a simple algorithm which doesn't take long to brute force these days thanks to faster CPUs and being able to execute code on a GPU. Bruteforcing an MD5 hash of a simple password can take seconds on a modern powerful GPU.

SHA1 and better are more secure due to the complexity of the algorithm so it takes longer to calculate the hash, slowing down brute force attacks.
Although if someone uses common passwords such as 'password' '123' or similar stupid things then their password can be worked out easily no matter what the hashing method due to rainbow tables.

[NC]

Okay, so who remembers mIRC scripting in VCMP where passwords were saved as plain text and no one got a problem with it?

* NC raises his hand

In my opinion MD5 is still secure. You just have to manipulate the saved password with e.g. salt and pass it a few times through the MD5 hashing function and voilà, no one will be able to encode it, unless he doesn't know the instructions.

Btw. let's not forget, that someone has to steal the database with passwords first, in order to get the hashes.

[SugarD]

If you have no other choice, definitely go with MD5 over plain text...but I would still say that if you can figure it out, go with the most secure thing possible.

[Juppi]

Okay, so who remembers mIRC scripting in VCMP where passwords were saved as plain text and no one got a problem with it?

Some people also believed that drilling a hole in the head could cure migraine even after the dark ages.

In my opinion MD5 is still secure. You just have to manipulate the saved password with e.g. salt and pass it a few times through the MD5 hashing function and voilà, no one will be able to encode it, unless he doesn't know the instructions.

Your method may bring security through obscurity, but it doesn't fix the design flaws in MD5. Anyone determined enough can still use these exploits and crack the hashes. While this might not be a huge problem for something as small as GTA multiplayers, theres no real reason not to choose a more secure method over MD5 when alternatives are available.

[SugarD]

...theres no real reason not to choose a more secure method over MD5 when alternatives are available.

That part is exactly what I meant too. It's one thing if you know you can't use anything beyond MD5 due to say, compatibility issues with your gamemodes, or a lack of knowledge in using the others...but if you have the knowledge and ability, you should always use the best thing available to you. Purposely not using it and going for something older and outdated that has been known to be easily breached is like asking for someone to hack you when they feel like getting around to it. That is simply not good practice.

[NC]

Instead of creating new hashing algorithms, we should better secure the databases, so that no one will ever look into it, no matter if passwords are saved as plain text, md5, sha or stormy[256] .

And who needs to crack passwords, if most of them are already cracked, just type in google and here are the results.

[SugarD]

Instead of creating new hashing algorithms, we should better secure the databases, so that no one will ever look into it, no matter if passwords are saved as plain text, md5, sha or stormy[256] .

And who needs to crack passwords, if most of them are already cracked, just type in google and here are the results.

Those are MD5 hashes that are in Google. As for securing databases, you should already be doing that. You shouldn't be just hiding and protecting your database by itself, though. If it does get breached and you use a crappy hashing system, you're just begging for someone to post your passwords online. Many users make the mistake of using them in multiple locations, and as the owner of the server, you become legally responsible for any incidents that arise from such.

As a result, I would highly suggest you use the highest system available to you, if you can. You should not only prevent breaches in the first place, but also plan for them in the event they do happen. You cannot stop every single attack that ever happens, no matter how much security you have...but you can prevent any damage made from it, from becoming worse if you try hard enough beforehand.

[stormeus]

SHA1 has been removed from the "acceptable for password hashing" list due to faults in the algorithm that have made it subject to relatively simpler cracking and collision attacks. While these attacks are still expensive to carry out (2⁶¹ operations for a collision according to latest estimates, which comes at a cost at $2.77mil), it is still highly recommended to avoid using hashing algorithms with existing collision attacks.

TL;DR
It doesn't matter if you use SHA-1 or not since no one is going to spend millions of dollars to crack your server's hashes, but you should still use something more secure anyways.

See more: https://en.wikipedia.org/wiki/SHA-1#Attacks