A simple way to implement username and passwords in Spidermonkey?

Hello! I created a server, and I decided to add the feature of login with a username and password. I never worked with databases and encryption, so I decided to only type a username for now. Basically, what I want to do is this:

  • Client asks for a username
  • Client tries to connect to the server
  • Server detects the connection (by connectionAdded())
  • Server looks for all HostedConnection objects and if a HostedConnection has the same username, the client is kicked.
  • If not, the server sends a NewPlayerMessage, so my controls can add an object, the name, atc…

My problem is that the string name is inside the main appstate. I know I can set an attribute to HostedConnection, but I want to get the name from the app state. How do I do that?

Thanks,
Ev1lbl0w

I don’t know your problem, you could do those by Messages.

In case you want to do it professionally: The Server sends random 128bits (32 byte hexadecimal) and the Client has to encrypt it. If the Server had the same result, the Client has the right password. That way the password is never transmitted. It’s pretty easy doable, but you should use asynchronous encryption else somebody could simply calculate your passwort.

As for the appstates.

MyApp.getAppStateManager().getState(MyAppState.class).setWhatever()

It’s more important to close the connection of an wrongly transmitted password, though. Don’t rely on the client stopping all other messages.

Thanks! That will do it for now!

A better solution would be to have a central HTTPS server. When the client connects, the server talks to the HTTPS server and gets a connection ID (connection IDs are unique, temporary, randomly generated Strings or large numbers) then sends it to the client. The client then connects to the HTTPS server and sends the connection id, username, and password and receives an authorization ID in return. The client then sends the authorization ID back to the server which then sends the authorization ID and connection ID to the HTTPS server that tells it whether or not the player has successfully authenticated.

I know this is complicated, but it’s what I see many major games (specifically Minecraft) do a variation of.

That is a project for the future, but now I have an idea of how to do it. Thank you very much :wink:

I recommend reading Secure Salted Password Hashing - How to do it Properly for handling safe passwords.

What is wrong with common salted sha512? Or even md5? It’s a game not a bank account… with PBKDF2 you make the authserver’s processor do additional work for nothing.

MD5 is really only 2 seconds security.
However shaX and requirement to authentificate within a few seconds will do usually i guess.

1 Like

True.
However many websites still use salted md5.

What is wrong with common salted sha512? Or even md5?

The link I posted pretty much answers your questions.

It’s a game not a bank account…

Well, depending on the game it might be a problem since it depends if he’s going to handle transactions. I don’t know how many World of Warcraft accounts that has been hacked (not due to bad password storage here what I recall, but still a problem). PlayStation Network had problems with stolen passwords a couple of years ago. Both usernames and passwords tends to be reused (you should never use the same password twice) and that could be a problem if they are combined with an e-mail address, which makes it easier for a hacker to gain access to something else. You could have the attitude and say that your users will have to blame them self, or you can help them as much as you can.

with PBKDF2 you make the authserver’s processor do additional work for nothing.

I don’t know how many users that he’s going to have or how often he needs to verify the password. But I’ve made some basic tests with the code at the link using my i7 950 which was released 6 years ago. I suppose that newer hardware should be able to handle this algorithm a bit faster. The average for creating a hash or verify a password is 3.4ms using a single core. (You need to randomize passwords and run the method like 10000 times to get the JIT compiler to work properly) This means that he could probably verify about 300 passwords per second and that equals about 1 million per hour, using a 6 years old CPU with a single core. That’s about the amount of concurrent MineCraft users, if they login 1 time per hour, and I know for fact that Notch could afford another authentication server since he now is a $ billionaire.

Optimizing is good, but optimize things that matters.

It was rhetorical.
You brought good points, but I’m still not convinced.
Let’s assume you have a table named ‘users’ with those columns ‘id’ ‘username’ ‘password’ ‘level’ and a view that show ‘id’ ‘username’ ‘level’ of the previous table. Then you can use two different accounts one with the permissions to see the users table, that will be used for login and registration, and one with the permissions to see only the view that will be used for everything else.
At this point an attacker in order to get the hashes from our database he must gain a remote access to the server or use an sqli inside the login or registration module. To avoid the last one you just have to double check your code, the first one is slightly more unpredictable because a bug on a third party software could expose your server to this kind of attacks, but still quite unlikely.

But let’s assume that someone managed to hack into our system, is really so easy to crack an entire db of sha512 passwords?
Let’s talk numbers, assuming that you can generate 1 000 000 000 sha512 hash per seconds and every password is built with 10 of 94 possible characters means 94^10 possible combinations you need many lives to build an entire dictionary with the current highend hardware.
(Remember that we are assuming that the password length is fixed).

Security is good, but there is no reason to armor your house if the price of doing that is 10 times the price of all the stuff you have inside.

No No no es securida. (insert family guy maid here)

At least in germany you are most likely sueable with such a security systems that does not include salting due to data protection laws. Also the other one is pretty much ready to use so actually less work than doing your own thing.

Nobody said “do not use salt”.
I was saying that salted sha512 is safe enough if you don’t own a time machine.

This is probably correct but really, lets use BCrypt already :smile:

http://www.mindrot.org/projects/jBCrypt/