Jump to content

  • Log In with Google      Sign In   
  • Create Account

Interested in a FREE copy of HTML5 game maker Construct 2?

We'll be giving away three Personal Edition licences in next Tuesday's GDNet Direct email newsletter!

Sign up from the right-hand sidebar on our homepage and read Tuesday's newsletter for details!


Converting password to number


Old topic!
Guest, the last post of this topic is over 60 days old and at this point you may not reply in this topic. If you wish to continue this conversation start a new topic.

  • You cannot reply to this topic
5 replies to this topic

#1 tanger32au   Members   -  Reputation: 108

Like
0Likes
Like

Posted 27 February 2014 - 03:46 AM

Hi all,
As part of the login process for my game I am storing the username / password in a file. To protect this and stop people using the password I have written some code to take the password, convert this to ASCII code, preform two mathematical operations and save this to a file.
 
Having undertaken some testing of my code I have found a couple of things:
1) Entering "Paul" produces the same result as "luaP"
2) Entering "Lisa" produces the same result as "Bart".
Paul = 180730
luaP = 180730
Lisa = 178093
Bart = 178093
 
Here is the code I have written. This is taken from my game but changed slightly to work as a standalone program.
 
[CreatePassword]
PasswordCreate$ = ""
length = 0
PasswordCreateText = 0
PasswordCreatePro$ = ""
cls
Input "Enter a password: "; PasswordCreate$
    length = len(PasswordCreate$)
    for A = 1 to length
        PasswordCreatePro$ =  mid$(PasswordCreate$, A)
        PasswordCreateText = PasswordCreateText + asc(PasswordCreatePro$)
 
    next A
 
PasswordCreateText = PasswordCreateText  * 293
PasswordCreateText = PasswordCreateText + 62944
 
Print ""; PasswordCreateText
 
open "PassWordChecker_Temp.spf" for append as #UC
print #UC, ""; PasswordCreate$;  " = "; PasswordCreateText
close #UC
 
input "? "; RunChoice$
if RunChoice$ = "q" then gosub [EndOfTest]
gosub [CreatePassword]
 
[EndOfTest]
notice "Program closed"
end
 
Paul


Sponsor:

#2 BitMaster   Crossbones+   -  Reputation: 4222

Like
4Likes
Like

Posted 27 February 2014 - 04:12 AM

You will want to read about hash functions, specifically cryptographic hash functions.

#3 haegarr   Crossbones+   -  Reputation: 4418

Like
6Likes
Like

Posted 27 February 2014 - 04:13 AM

The one problem arises because you don't consider the place of the particular characters when summing them up. The plus operator is commutative, that means

   1 + 2 == 2 + 1

and hence summing up the ASCII values of "Paul" gives the same value as summing up the ASCII values of "luaP".

 

The other problem arises because a specific sum can be yielded in by several combinations of arguments. For example

   3 + 6 == 4 + 5

so summing up the ASCII values of "Lisa" gives the same value as summing up the ASCII values of "Bart" (although I haven't proved that).

 

Decent string hash functions consider the location of where the characters are in the string by multiplying the sum so far with a constant. However, finding such a constant so that the result have a vanishing probability of collision is not easy.

 

I suggest you to not try your own solution but to use an existing hash function. There are several of them available from the internet. For example, the Fowler/Noll/Vo version 1 alternative (or FNV-1a for short) is available for 32, 64, and 128 bit hash values, and demonstrates what I mean above. It is simple and can be implemented without hassle. 

 

Another point is that hashing alone is not very secure. For a password hash one usually wants that the reverse step, e.g. computing the unknown password from the known hash, is not possible with a reasonable effort. Hence there are hash functions out there that are developed with the demand to not being reversible, so-called cryptographic hashes. Well known candidates are md5 and the SHA family. Some of them are known to have weaknesses.

 

For passwords you should consider to use such secure hash functions. 



#4 aregee   Members   -  Reputation: 1026

Like
2Likes
Like

Posted 27 February 2014 - 06:06 AM

Don't use MD5, it is broken, and if you can: avoid using SHA-1 too: https://www.schneier.com/blog/archives/2013/11/microsoft_retir.html



#5 kiteflyingmonkey   Members   -  Reputation: 310

Like
2Likes
Like

Posted 27 February 2014 - 09:03 AM

"Never roll your own crypto"

http://security.stackexchange.com/questions/18197/why-shouldnt-we-roll-our-own

If this is just for fun, or just for you and your friends or whatever, it's fun to learn how things work so doing your own crypto will be fine. Go ahead and use MD5 all you want. But if this is for something that is going on the internet, or for real users DO NOT make your own crypto algorithm. 

EDIT: Just to add, look up scrypt as well!


Edited by kiteflyingmonkey, 27 February 2014 - 09:04 AM.


#6 tanger32au   Members   -  Reputation: 108

Like
0Likes
Like

Posted 27 February 2014 - 04:12 PM

Thanks for the replies.

 

This is for a game I am making which is for my own use with a view to letting other people download it and play it if they want.

 

I am limited by the programming language I am using (JustBasic) so I am trying to make it the best / most secure I can within the limits of JustBasic.






Old topic!
Guest, the last post of this topic is over 60 days old and at this point you may not reply in this topic. If you wish to continue this conversation start a new topic.



PARTNERS