I am currently programming something which uses cloud based account verification in computercraft. Simply put I would like to add a "remember me" button. However the only two options I can see are to either store the user's password in plain text (very bad) or store a hashed authorization key in plain text (still bad)
either option a person could just copy and use to bypass someone's login very easily. Does anyone on here have an idea on how i can prevent this or any other way I could possibly implement a remember me button into computercraft.
1
Secure Hash Keys
Started by HDeffo, Feb 08 2016 06:02 AM
10 replies to this topic
#2
-
- Members
- 775 posts
Posted 08 February 2016 - 06:43 AM
I highly doubt it.
There will always be a trade-off between convenience and security when doing this kind of feature.
It's the same for a real website, an auth cookie is just sitting there in plaintext waiting to be read by somebody else or a virus.
Though, from your two options, I would choose to store a randomized authorization key since it would at least not leak the password.
There will always be a trade-off between convenience and security when doing this kind of feature.
It's the same for a real website, an auth cookie is just sitting there in plaintext waiting to be read by somebody else or a virus.
Though, from your two options, I would choose to store a randomized authorization key since it would at least not leak the password.
Edited by Anavrins, 08 February 2016 - 06:44 AM.
#3
-
- Members
- 214 posts
Posted 08 February 2016 - 06:54 AM
Anavrins, on 08 February 2016 - 06:43 AM, said:
I highly doubt it.
There will always be a trade-off between convenience and security when doing this kind of feature.
It's the same for a real website, an auth cookie is just sitting there in plaintext waiting to be read by somebody else or a virus.
Though, from your two options, I would choose to store a randomized authorization key since it would at least not leak the password.
There will always be a trade-off between convenience and security when doing this kind of feature.
It's the same for a real website, an auth cookie is just sitting there in plaintext waiting to be read by somebody else or a virus.
Though, from your two options, I would choose to store a randomized authorization key since it would at least not leak the password.
usually programs have the advantage of storing some unique identifier in the key. Though you can spoof those too its much easier to spoof the only real identifier we have os.computerID().
#4
-
- Members
- 1,315 posts
- LocationGermany
Posted 08 February 2016 - 10:01 AM
If you use a real server, you could try out JWTs.
#5
-
- Members
- 214 posts
Posted 08 February 2016 - 12:59 PM
H4X0RZ, on 08 February 2016 - 10:01 AM, said:
If you use a real server, you could try out JWTs.
wouldn't solve the issue. In order to "remember" the login I have to save the JWT then and that means it can be copied and inserted into another computer.
#6
-
- Members
- 2,028 posts
- LocationUK
Posted 08 February 2016 - 01:22 PM
can you save the cookie to a CC-disk and have that disk on your player when not in use?
related idea, cookie is on CC-pocketPC and is encrypted and transmitted to client computer when needed
related idea, cookie is on CC-pocketPC and is encrypted and transmitted to client computer when needed
Edited by Lupus590, 08 February 2016 - 01:23 PM.
#7
-
- Members
- 973 posts
- LocationIn the Matrix
Posted 08 February 2016 - 05:30 PM
For auth keys, you can just create a random key for a person, know that the key is for that person, and if anyone steals it, allow the person to revoke access to that key. That is kinda how mobile apps do it.
However for safety of your users, watch this video to see how NOT to handle this. Here ya go.
However for safety of your users, watch this video to see how NOT to handle this. Here ya go.
Edited by Dragon53535, 08 February 2016 - 05:32 PM.
#8
-
- Members
- 214 posts
Posted 08 February 2016 - 07:13 PM
I found a way to do this. Essentially I am sending bitcode from the server for the computer to run which verifies that os.computerID() is a java function and then returns the auth key, secret key, and computer ID to the server. The true auth key is then generated as a hash of these three plus another secret salt. Theoretically it can still be bypassed but since everything is hidden behind bitcode its now a little more difficult
#9
-
- Members
- 631 posts
- LocationKinda lost
Posted 08 February 2016 - 09:04 PM
HDeffo, on 08 February 2016 - 07:13 PM, said:
I found a way to do this. Essentially I am sending bitcode from the server for the computer to run which verifies that os.computerID() is a java function and then returns the auth key, secret key, and computer ID to the server. The true auth key is then generated as a hash of these three plus another secret salt. Theoretically it can still be bypassed but since everything is hidden behind bitcode its now a little more difficult
Edited by Wojbie, 08 February 2016 - 09:05 PM.
#10
-
- Members
- 214 posts
Posted 08 February 2016 - 09:24 PM
Wojbie, on 08 February 2016 - 09:04 PM, said:
HDeffo, on 08 February 2016 - 07:13 PM, said:
I found a way to do this. Essentially I am sending bitcode from the server for the computer to run which verifies that os.computerID() is a java function and then returns the auth key, secret key, and computer ID to the server. The true auth key is then generated as a hash of these three plus another secret salt. Theoretically it can still be bypassed but since everything is hidden behind bitcode its now a little more difficult
those are very difficult to port to computercraft though. And since true security is impossible in CC i think this is as secure as its gonna get
2 user(s) are reading this topic
0 members, 2 guests, 0 anonymous users
