English French German Spanish Russian
Password hash - TECHNICAL SUPPORT / WEB APPs BUGS - Ryzom Community ForumHomeGuest


Password hash


In the official changelog I found the following entry:
Hashing passwords in SHA-512 instead of DES

Well, it's not the case, sorry. I just changed my account password and it is still stored in DES. There is two easy way to prove it. The first one is to manually use the HTTP request used to ask for the password salt:
http://shard.ryzom.com:40916/login/r2_login.php?cmd=ask&login =account_name&lg=en

Simply replace "account_name" by your account name and remove the extra space added by this dirty forum engine (example). The answer should be the number "1" followed by ":" and the salt. A two characters salt is used for DES meanwhile the SHA-512 shouls use a 16 characters salt.
The second proof is the 8 character maximum length of DES. If you have a longer password, you can authenticate into the web app with only the 8 first characters because the others are ignored.

The SHA-512 hashing scheme has been written a few years ago and it used to work on Ryzom core just fine. Apparently, someone broke it and nobody actually tested it before writing the v3 changelog. By the way, it was written as a quick and dirty alternative to DES, not as a long-terme feature. You should have a look at PBKDF2, bcrypt, scrypt or, better, Argon2.


Markanjio di Segafredo
Noble Gardien des Matis - Noble Matis Guardian
Fléau de l'Empire - Scourge of the Empire
Show topic
Last visit Tue Jan 28 19:11:27 2020 UTC

powered by ryzom-api