• Hey! Guest! The 39th GMC Jam will take place between November 26th, 12:00 UTC and November 30th, 12:00 UTC. Why not join in! Click here to find out more!

Networking and Password Security

I'm beginning the developing of an online RPG using C# and GMS2. Since users will store sensitive information on a database I have a few questions I would like to ask the community.

  1. Does GML have a built in CSPRNG? - On that note, why is it not recommended to use a regular random number generator (such as random()?
  2. Does GML have any password hashing functions, or will I have to develop an extension?
  3. What about the database side of things? Where would I store usernames, hashes and salts? How will I interact with it using GML?
  4. I've read not to use fast cryptographic hash functions such as MD5 and SHA1 - but, if the passwords are hashed and salted correctly, why would this be of any concern? Aren't things like brute force attacks take care of with CAPTCHAs?
 

FrostyCat

Member
Does GML have a built in CSPRNG? - On that note, why is it not recommended to use a regular random number generator (such as random()?
No, you would either have to write an extension or implement the algorithm yourself.
Does GML have any password hashing functions, or will I have to develop an extension?
No, and I think you have the wrong question to start with. Passwords are always hashed only on the server side. And if you're planning on writing the central server in GM, that in itself is a problem.
What about the database side of things? Where would I store usernames, hashes and salts? How will I interact with it using GML?
Again, I think you have the wrong question. Writing the central server in GM is a bad idea.

The usual strategy is to use a web application to receive HTTP requests (which http_request() in GML can send), then perform database operations accordingly. Web application frameworks often have user, password and database handling out of the box. It's your responsibility to learn how to use one or hire someone else who does.
I've read not to use fast cryptographic hash functions such as MD5 and SHA1 - but, if the passwords are hashed and salted correctly, why would this be of any concern? Aren't things like brute force attacks take care of with CAPTCHAs?
The main point of using slow salted password hashes like bcrypt and scrypt is that they are much slower to mass-compute in case of a database breach, giving you and your players more time to change the passwords after you realize it has happened. When the database is stolen, the non-legit tries don't go through CAPTCHA anymore.
 
Top