Page 1 of 2 12 LastLast
Results 1 to 12 of 23

Thread: why are passwords not stored as hash?

  1. #1

    Default why are passwords not stored as hash?

    hash is a function that convert a data into another forum of data that cannot be reversed, whenever an account's information and password is stored in a device, that password is actually stored as a hash rather than plain text. This makes it IMPOSSIBLE for anyone to get your password even if they get your save.dat all they are getting is your hash rather than your password. literally every app that store password locally in your device store it as hashes. Yet growtopia does not have this feature. All growtopia password is stored as plain text, this is why hacking account in growtopia is incredibly easy compared to steam account, google account, etc.

  2. #2
    Master Sorcerer Jedaki's Avatar
    Join Date
    Apr 2019
    Location
    Mods' watchlist
    Posts
    3,150

    Default

    I wouldn't trust someone who's name is literally cheater.
    Retired poster

  3. #3
    Master Sorcerer Caine's Avatar
    Join Date
    Jul 2017
    Location
    United Kingdom
    Posts
    1,635

    Default

    Quote Originally Posted by Jedaki View Post
    I wouldn't trust someone who's name is literally cheater.
    But he's right... Growtopia saves its passwords as plain text instead of hash
    Love the life you live and live the life you love

    GrowID || Kitty

  4. #4
    Master Sorcerer Astigmatisme's Avatar
    Join Date
    Jan 2019
    Location
    de eart
    Posts
    3,181

    Default

    Quote Originally Posted by Caine View Post
    But he's right... Growtopia saves its passwords as plain text instead of hash
    I think they only send the login data (pass, etc) as plain ascii, the save file still saves it as encrypted jibber jabber.
    h
    IGN : C21H23NO5


  5. #5
    Master Sorcerer TeachMeHow's Avatar
    Join Date
    Feb 2017
    Location
    Place Far Away Manila
    Posts
    2,852

    Default

    Anyways they could use hash as a decoding system
    Quote Originally Posted by Yasuo
    *Hasagi*
    Quote Originally Posted by AlsoYasuo
    *Soryegadon*

  6. #6
    Master Sorcerer DeLixx's Avatar
    Join Date
    Jun 2013
    Posts
    2,005

    Default

    Growtopia does use hashes to save passwords server-sided; has been since years.

    The entire idea of using a hashing algorithm to compare passwords grounds on the basis of obstructing attackers after a breach to give the admins enough time to invalidate all logins, or possibly denying attackers access to all/most passwords completely.
    It is not a golden egg laying goose, just depending on the implementation the current security standard.
    It will not save you from client-sided infections, or social-engineering either.

    It is not growtopias fault when someone fails to recognise the "gem_hack.exe" as harmful and allows their pc to be infected.
    We even have 2FA by now, how are people still claiming to be hacked...

  7. #7
    Master Sorcerer Imunity's Avatar
    Join Date
    Mar 2016
    Location
    Lithuania
    Posts
    769

    Default

    Quote Originally Posted by DeLixx View Post
    Growtopia does use hashes to save passwords server-sided; has been since years.

    The entire idea of using a hashing algorithm to compare passwords grounds on the basis of obstructing attackers after a breach to give the admins enough time to invalidate all logins, or possibly denying attackers access to all/most passwords completely.
    It is not a golden egg laying goose, just depending on the implementation the current security standard.
    It will not save you from client-sided infections, or social-engineering either.

    It is not growtopias fault when someone fails to recognise the "gem_hack.exe" as harmful and allows their pc to be infected.
    We even have 2FA by now, how are people still claiming to be hacked...
    Passwords can be cracked with specific tools (I assume) and apparently AAP can by bypassed [somehow]...? So that's how.
    IGN: Imunity

  8. #8
    Master Sorcerer SydeWeiz's Avatar
    Join Date
    Apr 2018
    Location
    Neutron Star
    Posts
    1,276

    Default

    Quote Originally Posted by Imunity View Post
    Passwords can be cracked with specific tools (I assume) and apparently AAP can by bypassed [somehow]...? So that's how.
    They said that they patched the method of AAP bypass, if possible, AAP will no longer be able to be cracked up.
    Last edited by SydeWeiz; 03-17-2020 at 07:12 PM.
    IGN: SydeEvil
    Discord: SydeEvil#2924

  9. #9
    Banned
    Join Date
    Oct 2019
    Location
    United States of America
    Posts
    249

    Default

    Well I've read many posts on the internet and the fix can be really easy:

    Encrypt the damm password in save.dat with an encryption algorithm that uses keys (like AES).
    The key could be randomised (aka sometimes it's hardware ID, sometimes it's some other thing, etc...). That way, even if stolen, a save.dat file would be useless.

  10. #10
    Master Sorcerer MrAugu's Avatar
    Join Date
    Feb 2018
    Location
    Behind You
    Posts
    560

    Default

    This is a actually more complicated than it sounds.

    Why aren't passwordd stored as hashes?
    First, looking at how hashing works, they are one way process, once something its hashed it cannot be de-hashed back to it's original state, and hashes of different inputs can be same and collisions can appear as they are size-fixed, once you have the hash and the hashing algorythm you can actually generate many common possible hashes for known inputs and check if any of those hashes match with the one in save.dat, there are a lot of combinations possible but not impossible to crack it as many passwords have common syntax you have to have ultra uncommon password with many special character.

    Ok, hashes are one way, but what if an encrypted password is saved both to server and to local save.dat?
    You, as an user, when you switch accounts, you need to edit the password, so that implies that the password needs to be encrypted in the client itself and make it possible both online and offline to be edited, which means client needs to have a copy of the key the password are encrypted with, which makes it vulnerable because in order to obtain same output after decryption server needs to also decrypt it with the same key on client and validate that.

    Conclusion:
    Passwords still need to be in some way or shape still be converted into the actual password you typed to be validated, hashes make it impossible to do that and if your password is even somewhat common it can be easily cracked, and having any sort of key on client makes it vulnerable to reverse engineer.

    - - - Updated - - -

    Quote Originally Posted by ColderMan View Post
    Well I've read many posts on the internet and the fix can be really easy:

    Encrypt the damm password in save.dat with an encryption algorithm that uses keys (like AES).
    The key could be randomised (aka sometimes it's hardware ID, sometimes it's some other thing, etc...). That way, even if stolen, a save.dat file would be useless.
    Key needs to be known by both server and client, exchanging the key on login makes it non-secure if the actual app you got hacked with it's running secretly in background and catches packets between you and servers.
    GrowCord - Discord Bot
    The only growtopia discord bot that post DQs, tweets and more into your discord server.
    ==
    Discord: MrAugu#7917
    ==
    Full-stack developer.
    ==
    *Daily Quests, WOTD, Last Two Tweets, Daily News

  11. #11
    Master Sorcerer DeLixx's Avatar
    Join Date
    Jun 2013
    Posts
    2,005

    Default

    Quote Originally Posted by Imunity View Post
    Passwords can be cracked with specific tools (I assume) and apparently AAP can by bypassed [somehow]...? So that's how.
    The secure technology is there, but the weakest node in the chain is the human itself.
    It's always been like that.
    Some people are more prone to these sorts of attacks than others.

    2FA can for example be bypassed if you use the same password on your mail account as on growtopia, enable someone to gain remote control over your pc, or whitelist someone elses device after they've confinced you to do so.

  12. #12
    Master Sorcerer Imunity's Avatar
    Join Date
    Mar 2016
    Location
    Lithuania
    Posts
    769

    Default

    Quote Originally Posted by DeLixx View Post
    The secure technology is there, but the weakest node in the chain is the human itself.
    It's always been like that.
    Some people are more prone to these sorts of attacks than others.

    2FA can for example be bypassed if you use the same password on your mail account as on growtopia, enable someone to gain remote control over your pc, or whitelist someone elses device after they've confinced you to do so.
    That is not a bypass, but rather getting access to the email or PC in one way or another. Bypass however is when someone logins into your account without having access to the email or PC. These things are happening.
    IGN: Imunity

Bookmarks

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •