Quick Links: Download Gideros Studio | Gideros Documentation | Gideros Development Center | Gideros community chat | DONATE
Client-side key-derivation — Gideros Forum

Client-side key-derivation

memememe Member
edited May 2015 in Suggestions & requests
I'm not very good at crypto, I know just the basic stuff. The more power the password derivation needs, the better. So, what's the usual reason to do it server-side anyway? Browsers not supporting it? Could gideros support it? Am I making a error in reasoning?

I've built a communication model over with UrlLoader (https) into my current little game. Well, passwords are stored plain text in the database. Don't want to waste server resources if I *could do it client-side.

Hm, what should I do?

Comments

  • SinisterSoftSinisterSoft Maintainer
    The client side could be hacked more easily than the server side.
    Coder, video game industry veteran (since the '80s, ❤'s assembler), arrested - never convicted hacker (in the '90s), dad of five, he/him (if that even matters!).
    https://deluxepixel.com
  • This make me remember about some site that store the password of username in their database as plain text, it ended in a horrible way.
  • memememe Member
    This make me remember about some site that store the password of username in their database as plain text, it ended in a horrible way.
    Yes, this is want I don't want to be accountable for. But the good crypto would disturb the server performance for let's say a millisecond. And the real good would do so for a second instead, then a hacker could brute force only 1/1000 as much. But I don't want to create server hickups performance-wise. Even If Lua in the client would take 2 times as long, the micro-lag would be just for one user instead of all.
  • ar2rsawseenar2rsawseen Maintainer
    edited May 2015
    @meme it makes a lot of sense to store authentication data in the app, even when you want to do autologin, etc.

    Just make sure to protect it, by encrypting it. Search for lua based encryption modules, I also saw something like this shared here on the forum too

    Also don't forget to use built in encryption on lua files, so now one would see the way you encrypt authentication
  • SinisterSoftSinisterSoft Maintainer
    edited May 2015
    "Well, passwords are stored plain text in the database."

    This is madness btw...

    You should never store passwords (encypted or plain text), instead use salted hashes of the original password.
    Coder, video game industry veteran (since the '80s, ❤'s assembler), arrested - never convicted hacker (in the '90s), dad of five, he/him (if that even matters!).
    https://deluxepixel.com
  • memememe Member
    edited May 2015
    "Well, passwords are stored plain text in the database."

    This is madness btw...

    You should never store passwords (encypted or plain text), instead use salted hashes of the original password.
    I know. I decided for server-side and one of the hash functions in PHP now, since Lua's BitOp looks slow and unrelieable, but I have no Idea whether this is really the case.

    From a paranoid view it's not that great to ask the server for the hash, since lately there have been SSL breaks and UrlLoader isn't confirmed against that?, and a hacked server would leak the password before hashing. That's why I would have preferred hashing in Gideros. Plus server performance reasons.
Sign In or Register to comment.