Jump to content
[MUST READ] Forum Rules ×
Important message for newcomers!

Xera Simple mailer not working

hello

By hello
in MyOwnFreeHost General

 Share

Recommended Posts

Anyx Experienced

Anyx

Posted
Posted
7 hours ago, Mahtab Hassan said:

nah I'm not going to add login system

Why, though? It would be useful. What has made you decide against it?

7 hours ago, TinkerMan said:

SHA is not designed to encrypt passwords, you should use ByCrypt or that other algorithm that starts with an a but I forget it’s name. 

Argon2id?

Link to comment
Share on other sites
  • Replies 119
  • Created
  • Last Reply

Top Posters In This Topic

Popular Days

Top Posters In This Topic

Popular Days

hello Enthusiast

hello

Posted
  • Author
Posted
13 hours ago, Mahtab Hassan said:

encryption key is only used in encrypting ssl files 

MOFH-R also use salting system.

different hashing algorithms are used in MOFH-R. sha256 is used to encrypt passwords.

 

Can the encryption key be any thing I want to put it as or what is it for?

What is the salt that is added to it, like everytime I make an account with the same password, the hash is the same.

Link to comment
Share on other sites
Mahtab Hassan Collaborator

Mahtab Hassan

Posted
Posted
1 hour ago, hello said:

Can the encryption key be any thing I want to put it as or what is it for?

What is the salt that is added to it, like everytime I make an account with the same password, the hash is the same.

if you compare your password hash with a normal sha256 hash of the same string used for your password. you will see the difference

Link to comment
Share on other sites
Mahtab Hassan Collaborator

Mahtab Hassan

Posted
Posted
7 hours ago, Anyx said:

Why, though? It would be useful. What has made you decide against it?

in Xera admin account uses a session for being logged in meanwhile user account uses cookie for being logged in. but in MOFH-R Both accounts uses cookie and a role cookie as well which will be overwritten if you logged as a user and will need to logout and login again to access admin panel.

Link to comment
Share on other sites
Mahtab Hassan Collaborator

Mahtab Hassan

Posted
Posted
28 minutes ago, hello said:

@Mahtab HassanCan people hack it and use the cookie to login? And is there no way to login to the users account? Or maybe you could change it to a session?

nah they can't hack but the system verifies that if the login token match with the details given in the user account and verifies if the user have the same role defined in the cookie. when an admin login to user account then admin will automatically logs out and the admin will be logged in as client account but if admin want to login his account he will need to logout first and login to admin account again.

Link to comment
Share on other sites
hello Enthusiast

hello

Posted
  • Author
Posted (edited)

@Mahtab HassanBut is the salt 'salt'?  

defined('HASH_SALT')			OR define('HASH_SALT', 'salt');

salt is the salt that is default right?

and its added at the front or back am i right?

and if i hash a password it comes out as 'somerandomhash'

and then it hashes 'somerandomhash' to something else am i right?

Edited by hello
Link to comment
Share on other sites
Mahtab Hassan Collaborator

Mahtab Hassan

Posted
Posted
1 hour ago, hello said:

@Mahtab HassanBut is the salt 'salt'?  

defined('HASH_SALT')			OR define('HASH_SALT', 'salt');

salt is the salt that is default right?

and its added at the front or back am i right?

and if i hash a password it comes out as 'somerandomhash'

and then it hashes 'somerandomhash' to something else am i right?

according to MOFH-R when hashing first time it will hash $hash = hash('sha256', $string.':'.HASH_SALT); after that following code will run $hash = hash('sha256', $hash.':'.HASH_SALT); this code will be repeated 24 times and after that function will return the last generated hash

 

 

Link to comment
Share on other sites
hello Enthusiast

hello

Posted
  • Author
Posted
On 11/25/2022 at 5:54 PM, Mahtab Hassan said:

according to MOFH-R when hashing first time it will hash $hash = hash('sha256', $string.':'.HASH_SALT); after that following code will run $hash = hash('sha256', $hash.':'.HASH_SALT); this code will be repeated 24 times and after that function will return the last generated hash

 

 

@Mahtab HassanIs this correct?

If the password is 'hello' for example.

the hash would be 

$hash = hello:salt

I think 'salt' is the default salt am I right?

Then the output would be 

0b3dddae2edc23b7e9bbcab5a952481894a3b7f749aa1396a32c59b77ca3df53

Then it will do 

$hash = 0b3dddae2edc23b7e9bbcab5a952481894a3b7f749aa1396a32c59b77ca3df53:salt

Then that process would be repeated 24 times.

-----------------------

Or is it

$hash = sha256hello:salt

Thanks

Link to comment
Share on other sites
Mahtab Hassan Collaborator

Mahtab Hassan

Posted
Posted
3 hours ago, hello said:

@Mahtab HassanIs this correct?

If the password is 'hello' for example.

the hash would be 

$hash = hello:salt

I think 'salt' is the default salt am I right?

Then the output would be 

0b3dddae2edc23b7e9bbcab5a952481894a3b7f749aa1396a32c59b77ca3df53

Then it will do 

$hash = 0b3dddae2edc23b7e9bbcab5a952481894a3b7f749aa1396a32c59b77ca3df53:salt

Then that process would be repeated 24 times.

-----------------------

Or is it

$hash = sha256hello:salt

Thanks

the one you described first is right

Link to comment
Share on other sites
Mahtab Hassan Collaborator

Mahtab Hassan

Posted
Posted
2 hours ago, hello said:

@Mahtab HassanHere? Well, it takes a long time. It tries all possible combinations and when hash = targethash then I found password. People cant find out the parttern tho if you have changed the stuff

i see it doesn't matter untill the system is secure and i thought i have already mentioned in document to change the value of salt to make system more secure.

Link to comment
Share on other sites
Mahtab Hassan Collaborator

Mahtab Hassan

Posted
Posted
2 hours ago, TinkerMan said:

Are you challenging us?

And @Mahtab Hassan, if you can make the password storage even more secure, like using PHPs password_hash(), that would be better.

 

do not worry bro i can make that but currently i don't think there is any need to change the password encryption/hashing method because MOFH-R is not made to be used in a very large community. by the way I'm learning Laravel and will soon implement something new and a way secure then old clientareas

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Unfortunately, your content contains terms that we do not allow. Please edit your content to remove the highlighted words below.
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...