TECHNICAL SUPPORT / WEB APPs BUGS


Password hash

Hi,

In the official changelog I found the following entry:
Hashing passwords in SHA-512 instead of DES

Well, it's not the case, sorry. I just changed my account password and it is still stored in DES. There is two easy way to prove it. The first one is to manually use the HTTP request used to ask for the password salt:
http://shard.ryzom.com:40916/login/r2_login.php?cmd=ask&login =account_name&lg=en

Simply replace "account_name" by your account name and remove the extra space added by this dirty forum engine (example). The answer should be the number "1" followed by ":" and the salt. A two characters salt is used for DES meanwhile the SHA-512 shouls use a 16 characters salt.
The second proof is the 8 character maximum length of DES. If you have a longer password, you can authenticate into the web app with only the 8 first characters because the others are ignored.


The SHA-512 hashing scheme has been written a few years ago and it used to work on Ryzom core just fine. Apparently, someone broke it and nobody actually tested it before writing the v3 changelog. By the way, it was written as a quick and dirty alternative to DES, not as a long-terme feature. You should have a look at PBKDF2, bcrypt, scrypt or, better, Argon2.

---

Markanjio di Segafredo
Alkiane
Noble Gardien des Matis - Noble Matis Guardian
Fléau de l'Empire - Scourge of the Empire
Show topic
Last visit Thursday, 28 March 23:46:08 UTC
P_:

powered by ryzom-api