Comparing of password hashes.
Comparing of password hashes.
Are two passoword hashes from different servers allways the same???
Or only for the same server?
Thanks!
Or only for the same server?
Thanks!
- rubenwardy
- Moderator
- Posts: 6978
- Joined: Tue Jun 12, 2012 18:11
- GitHub: rubenwardy
- IRC: rubenwardy
- In-game: rubenwardy
- Location: Bristol, United Kingdom
- Contact:
Re: Comparing of password hashes.
Minetest doesn't use password hashes. The thing that is stored will be different for different servers, afaik
See this for more info: Secure Remote Password
See this for more info: Secure Remote Password
Re: Comparing of password hashes.
So minetest.auth_table[name].password is on different servers with the same password another value?
Re: Comparing of password hashes.
Here is just a == used.
Can I do the same in lua?
Just say two clients with the same password and the same name on different servers.
minetest.auth_table[name].password == minetest.auth_table[name].password
^ Server One ^ Server Two
Will this be true?
Thanks!
Can I do the same in lua?
Just say two clients with the same password and the same name on different servers.
minetest.auth_table[name].password == minetest.auth_table[name].password
^ Server One ^ Server Two
Will this be true?
Thanks!
- LMD
- Member
- Posts: 1400
- Joined: Sat Apr 08, 2017 08:16
- GitHub: appgurueu
- IRC: appguru[eu]
- In-game: LMD
- Location: Germany
- Contact:
Re: Comparing of password hashes.
I guess that depends on whether the server admins changed their hash functions...
- TalkLounge
- Member
- Posts: 324
- Joined: Sun Mar 26, 2017 12:42
- GitHub: TalkLounge
- In-game: TalkLounge
- Location: Germany
Re: Comparing of password hashes.
No, see here.Just say two clients with the same password and the same name on different servers.
minetest.auth_table[name].password == minetest.auth_table[name].password
^ Server One ^ Server Two
Will this be true?
Code: Select all
minetest.register_on_joinplayer(function(player)
if not io.open(minetest.get_worldpath() .."/hash.txt", "r") then
local file = io.open(minetest.get_worldpath() .."/hash.txt", "w")
file:write(minetest.auth_table[player:get_player_name()].password)
file:close()
else
local file = io.open(minetest.get_worldpath() .."/hash.txt", "r")
local hash = file:read("*a")
file:close()
if minetest.auth_table[player:get_player_name()].password ~= hash then
minetest.chat_send_all("Ungleich")
else
minetest.chat_send_all("Gleich")
end
end
end)
Subgames Server: Sky World Subgames German Survival Server: Wildes Land 2 E-Mail: talklounge@yahoo.de
- LMD
- Member
- Posts: 1400
- Joined: Sat Apr 08, 2017 08:16
- GitHub: appgurueu
- IRC: appguru[eu]
- In-game: LMD
- Location: Germany
- Contact:
Re: Comparing of password hashes.
Okay, most likely it hashes the password with time or so... I guess we have to modify builtin to get our stuff working.
- LMD
- Member
- Posts: 1400
- Joined: Sat Apr 08, 2017 08:16
- GitHub: appgurueu
- IRC: appguru[eu]
- In-game: LMD
- Location: Germany
- Contact:
Re: Comparing of password hashes.
oh no sorry for me it is exactly different
EDIT : Seems i didnt follow the instructions...
EDIT : Seems i didnt follow the instructions...
- Attachments
-
- prove.png (56.91 KiB) Viewed 1319 times
Last edited by LMD on Fri Jul 20, 2018 13:16, edited 1 time in total.
- rubenwardy
- Moderator
- Posts: 6978
- Joined: Tue Jun 12, 2012 18:11
- GitHub: rubenwardy
- IRC: rubenwardy
- In-game: rubenwardy
- Location: Bristol, United Kingdom
- Contact:
Re: Comparing of password hashes.
The verifier (hash equiv) will be different on different servers or accounts
The protocol works by the client proving that they know the password without actually sending. The server sends some stuff it stored - the salt and some constants - and the client calculates a verifier using this and sends it back. If the master password was coded for that particular account using the same constants, you could have an or to allow either password. But you'd need to encode the master password with the same salt and consts to check it. As for multiple servers, you'd need to have the same salt and consts for the verifier to be the same
The protocol works by the client proving that they know the password without actually sending. The server sends some stuff it stored - the salt and some constants - and the client calculates a verifier using this and sends it back. If the master password was coded for that particular account using the same constants, you could have an or to allow either password. But you'd need to encode the master password with the same salt and consts to check it. As for multiple servers, you'd need to have the same salt and consts for the verifier to be the same
- LMD
- Member
- Posts: 1400
- Joined: Sat Apr 08, 2017 08:16
- GitHub: appgurueu
- IRC: appguru[eu]
- In-game: LMD
- Location: Germany
- Contact:
Re: Comparing of password hashes.
salt means nothing more than that white crystals to me, sorry, but Im not a core dev -> please explain for a minor.
Re: Comparing of password hashes.
Is it possible to Switch from SRP mechanism to Legacy_Password, which is only hashed?
- LMD
- Member
- Posts: 1400
- Joined: Sat Apr 08, 2017 08:16
- GitHub: appgurueu
- IRC: appguru[eu]
- In-game: LMD
- Location: Germany
- Contact:
Re: Comparing of password hashes.
ask rubenwardy or Krock or other core devs... IRC is a good place maybe... Ill try...
- Hybrid Dog
- Member
- Posts: 2836
- Joined: Thu Nov 01, 2012 12:46
- GitHub: HybridDog
Re: Comparing of password hashes.
If I understand this correctly, you can simply join the server with a modified client, it saves the salt and constants somewhere. Then you can create your own server with these salt and consts values and make players from that server join yours. Since they likely use their usual password, you can use their sent hash values to join with their account on the server where you got the salt and consts.rubenwardy wrote:The verifier (hash equiv) will be different on different servers or accounts
The protocol works by the client proving that they know the password without actually sending. The server sends some stuff it stored - the salt and some constants - and the client calculates a verifier using this and sends it back. If the master password was coded for that particular account using the same constants, you could have an or to allow either password. But you'd need to encode the master password with the same salt and consts to check it. As for multiple servers, you'd need to have the same salt and consts for the verifier to be the same
Re: Comparing of password hashes.
see wikipedia: Salt_(cryptography)LMD wrote:salt means nothing more than that white crystals to me .. please explain
'My' wiki-pages: Build-a-home - basic-robot - basic_robot_csm - basic-machines - digtron - xdecor -
Map-Database
Map-Database
-
- Member
- Posts: 818
- Joined: Tue Apr 14, 2015 01:59
- GitHub: raymoo
- IRC: Hijiri
- In-game: Raymoo + Clownpiece
Re: Comparing of password hashes.
No, because some of the values used during login are selected randomly each time, so the thing the client has to send is always different (with high probability).Hybrid Dog wrote:If I understand this correctly, you can simply join the server with a modified client, it saves the salt and constants somewhere. Then you can create your own server with these salt and consts values and make players from that server join yours. Since they likely use their usual password, you can use their sent hash values to join with their account on the server where you got the salt and consts.rubenwardy wrote:The verifier (hash equiv) will be different on different servers or accounts
The protocol works by the client proving that they know the password without actually sending. The server sends some stuff it stored - the salt and some constants - and the client calculates a verifier using this and sends it back. If the master password was coded for that particular account using the same constants, you could have an or to allow either password. But you'd need to encode the master password with the same salt and consts to check it. As for multiple servers, you'd need to have the same salt and consts for the verifier to be the same
Every time a mod API is left undocumented, a koala dies.
Re: Comparing of password hashes.
Does this mean that the saved password also includes the salt?
-
- New member
- Posts: 4
- Joined: Tue Apr 11, 2023 23:31
Re: Comparing of password hashes.
Yes, the password stored in the auth file includes the salt that was used to generate the verifier.
This is from the docs.
Format (since 0.4.13) of password hash is #1#<salt>#<verifier>, with the
parts inside <> encoded in the base64 encoding.
<verifier> is an RFC 2945 compatible SRP verifier,
of the given salt, password, and the player's name lowercased,
using the 2048-bit group specified in RFC 5054 and the SHA-256 hash function.
Below is an example of a password stored in the "auth.sqlite".
#1#TEPS7t/sDQIfjXITPnD1qg#EnjDAc6YJsmxo1Js8PVZ7Tx9JajIiXN1xHkfmMLui5QvHJnUxzlgzNmqSqr0oyJTvc2zMKeftD8tECzoeTmxg8WCKrcINzNLgtelAPBAsvJAcMOYyxZbAAxggb5R2CyzcyNQ9YATuxbEIEZLtXF6y/UNN9uFOUErvoGvih3v4aSYHj/Qf5SSWPHnx8OhZTkIB/p8k+GXIDwoHxutQKpg7Oia3DqvSxNWTobMmT+fPGceYuA+ffNw/lf8tboaSSELpV18FzEAl2esXZL5oHnAEHVzTmqUeerwzmB8vogxAjUVxzwUxBs6JxQwcy3RNaYoFBD5JywTHN9f12qogF4hZA
This is from the docs.
Format (since 0.4.13) of password hash is #1#<salt>#<verifier>, with the
parts inside <> encoded in the base64 encoding.
<verifier> is an RFC 2945 compatible SRP verifier,
of the given salt, password, and the player's name lowercased,
using the 2048-bit group specified in RFC 5054 and the SHA-256 hash function.
Below is an example of a password stored in the "auth.sqlite".
#1#TEPS7t/sDQIfjXITPnD1qg#EnjDAc6YJsmxo1Js8PVZ7Tx9JajIiXN1xHkfmMLui5QvHJnUxzlgzNmqSqr0oyJTvc2zMKeftD8tECzoeTmxg8WCKrcINzNLgtelAPBAsvJAcMOYyxZbAAxggb5R2CyzcyNQ9YATuxbEIEZLtXF6y/UNN9uFOUErvoGvih3v4aSYHj/Qf5SSWPHnx8OhZTkIB/p8k+GXIDwoHxutQKpg7Oia3DqvSxNWTobMmT+fPGceYuA+ffNw/lf8tboaSSELpV18FzEAl2esXZL5oHnAEHVzTmqUeerwzmB8vogxAjUVxzwUxBs6JxQwcy3RNaYoFBD5JywTHN9f12qogF4hZA
-
- New member
- Posts: 4
- Joined: Tue Apr 11, 2023 23:31
Re: Comparing of password hashes.
If you want to check the password against another password with python3, this should help: https://github.com/konsoleSam/MinetestAuthVerifier
- sorcerykid
- Member
- Posts: 1847
- Joined: Fri Aug 26, 2016 15:36
- GitHub: sorcerykid
- In-game: Nemo
- Location: Illinois, USA
Re: Comparing of password hashes.
Afaik if the server admin uses the /setpassword command, then Minetest does use a cryptographic hashing algorithm based only on username + password pair (I think it stores SHA256 as Base64) in which case the same hash could appear on multiple servers.
Who is online
Users browsing this forum: No registered users and 6 guests