Quick Links: Download Gideros Studio | Gideros Documentation | Gideros community chat | DONATE
Client-side key-derivation — Gideros Forum
  • Home

    • Client-side key-derivation

    memememe Member
    edited May 2015 in Suggestions & requests
    I'm not very good at crypto, I know just the basic stuff. The more power the password derivation needs, the better. So, what's the usual reason to do it server-side anyway? Browsers not supporting it? Could gideros support it? Am I making a error in reasoning?

    I've built a communication model over with UrlLoader (https) into my current little game. Well, passwords are stored plain text in the database. Don't want to waste server resources if I *could do it client-side.

    Hm, what should I do?
    +1 -1Share on Facebook

    Comments

    • SinisterSoftSinisterSoft Maintainer
      The client side could be hacked more easily than the server side.
      Coder, video game industry veteran (since the '80s, ❤'s assembler), arrested - never convicted hacker (in the '90s), dad of five, he/him (if that even matters!).
      https://deluxepixel.com
      +1 -1Share on Facebook
    • tkhnomantkhnoman Member
      This make me remember about some site that store the password of username in their database as plain text, it ended in a horrible way.
      +1 -1Share on Facebook
    • memememe Member
      This make me remember about some site that store the password of username in their database as plain text, it ended in a horrible way.
      Yes, this is want I don't want to be accountable for. But the good crypto would disturb the server performance for let's say a millisecond. And the real good would do so for a second instead, then a hacker could brute force only 1/1000 as much. But I don't want to create server hickups performance-wise. Even If Lua in the client would take 2 times as long, the micro-lag would be just for one user instead of all.
      +1 -1Share on Facebook
    • ar2rsawseenar2rsawseen Maintainer
      edited May 2015
      @meme it makes a lot of sense to store authentication data in the app, even when you want to do autologin, etc.

      Just make sure to protect it, by encrypting it. Search for lua based encryption modules, I also saw something like this shared here on the forum too

      Also don't forget to use built in encryption on lua files, so now one would see the way you encrypt authentication
      http://appcodingeasy.com/Gideros-Mobile
      +1 -1Share on Facebook
    • SinisterSoftSinisterSoft Maintainer
      edited May 2015
      "Well, passwords are stored plain text in the database."

      This is madness btw...

      You should never store passwords (encypted or plain text), instead use salted hashes of the original password.
      Coder, video game industry veteran (since the '80s, ❤'s assembler), arrested - never convicted hacker (in the '90s), dad of five, he/him (if that even matters!).
      https://deluxepixel.com
      +1 -1Share on Facebook
    • memememe Member
      edited May 2015
      "Well, passwords are stored plain text in the database."

      This is madness btw...

      You should never store passwords (encypted or plain text), instead use salted hashes of the original password.
      I know. I decided for server-side and one of the hash functions in PHP now, since Lua's BitOp looks slow and unrelieable, but I have no Idea whether this is really the case.

      From a paranoid view it's not that great to ask the server for the hash, since lately there have been SSL breaks and UrlLoader isn't confirmed against that?, and a hacked server would leak the password before hashing. That's why I would have preferred hashing in Gideros. Plus server performance reasons.
      +1 -1Share on Facebook
    Sign In or Register to comment.