Password Encryption

dpoulimenos · **on:** January 04, 2025, 06:54:11 PM

Hello everyone!

I am new to this side of the game but remember I was enjoying the game as a player, now I am trying to create a server and a website for my server both locally first! I have successfully created the server and modified everything I need and also I have created a website for the server on Django Framework (Python). I also have modified the django website to use the hash and encode of the l2jmobius server (when an account is auto created from the client) . Since the method that is being used from the server is weak and vulnerable :

Code: [Select]

final MessageDigest md = MessageDigest.getInstance("SHA");
final byte[] raw = password.getBytes(StandardCharsets.UTF_8);
final String hashBase64 = Base64.getEncoder().encodeToString(md.digest(raw));

I want to change that when a user is being created automatically from the client OR to be able to work with the django's encryption which is solid and secure. All I was thinking to do is to find the part of the code that hash and encrypt the users code before storing it to the database but there are so many files in there. All I need is a guidance and I can do the rest!!

Thanks in Advance.... AND A HAPPY NEW YEAR

Mobius · **Reply #1 on:** January 04, 2025, 08:09:08 PM

If your database isn’t compromised, the hashing algorithm isn’t inherently weak or vulnerable.
And if an attacker does gain access to your server, changing the password hashing algorithm would likely be the least of your concerns.

If anything I would worry more on how the client sends the password to your server.

dpoulimenos · **Reply #2 on:** January 04, 2025, 08:22:02 PM

Quote from: Mobius on January 04, 2025, 08:09:08 PM

If anything I would worry more on how the client sends the password to your server.

That's exactly what I was thinking , however applying the best encryption is still a good practice I think. One last question, you said you would worry on how the client sends the password to the server, that means through https or has nothing to do with that?

G-hamsteR · **Reply #3 on:** January 06, 2025, 03:11:47 AM

https has nothing to do with how the client communicates with the server.

dpoulimenos · **Reply #4 on:** January 06, 2025, 01:10:23 PM

Ok, I get it — HTTPS has nothing to do with this specifically. But this encryption mechanism (custom packet encryption or session-based encryption) does play a crucial role in securing the communication between the L2 client and the L2JMobius server, especially when it comes to protecting sensitive information like passwords during the login process.

Without such encryption in place, passwords and other sensitive data could be intercepted by an attacker. So does something like this already implemented there or I have to do it?

Edit* With a simple wireshark sniffing I was able to retrieve the username and the hashed/encoded password that is being transmitted during the login process.

G-hamsteR · **Reply #5 on:** January 08, 2025, 12:59:33 PM

There are easier ways to improve security than modifying the client. You could implement an OTP functionality, have a PIN, or even a second password to be required after a successful login.

Password Encryption

dpoulimenos

Password Encryption

Mobius

Re: Password Encryption

dpoulimenos

Re: Password Encryption

G-hamsteR

Re: Password Encryption

dpoulimenos

Re: Password Encryption

G-hamsteR

Re: Password Encryption