What is the best way to make a "password" for Steam Login?

Asked

Viewed 8,521 times

0

Well, I tried to do with steamid, as if it were a password and receive the data by POST, however I find this a very insecure way seen, that Hackers, can change the steamid, and log into the account of other users.

I would like to know the best way to create a kind of "password", or a hash, to avoid hacking attacks.

Thank you.

  • What is Steam exactly?

  • Are you using the OpenID from Steam to authenticate?

  • Always remember that if it’s not what you’re looking for, you can [Dit] the question and make your specific case clearer. If it is really another problem, the question can be reopened.

  • Bacco, my question is not a normal case but relative to Steam, because in Steam, there is no "generate password".

  • Inkeliz am yes using openid.

  • Can you explain the Openid system better? And why it implies a lack of security?

Show 2 more comments

1 answer

-4

Best way to encrypt on your system is to make a password based on user choice with 3 encryption.

Ex: User chooses password (12345)

Criptografia 1: MD5(12345) = Resultado: 827ccb0eea8a706c4c34a16891f84e7b
Criptografia 2: SHA-256(Cript 1) = Resultado: 30fdf15fd513fd69085f9344ff2d5d716254aa367bcac88e78ee60ad0298d606
Criptografia 3: SHA-256(Cript 2) = Resultado: 4ac3e4f57090ed6de97f2a839fe505cb05ace7d2cbc8f75865ca95cabeb173e0

This way you get an unbreakable encryption so far and impossible a hacker to match the password.

There are also server protections to prevent sql_inject as

strip_tags($senha);

With these and other uses anti sql_inject Voce will have a perfect encryption, another thing is to Voce add a Checksun to the user (like Steam_id) that takes this checksum + password and encrypts again.

With this Voce will have almost 100% protection against attacks, it is worth remembering that for a hacker to change the password or have access depends not only on encryption, also on protection against SQL_INJECT!

  • 1

    Say that md5 or sha-256 generates an unbreakable encryption, nowadays is something considered a crime rs. salt, then the story changes

  • Another thing, using multiple encryption protocols over the same password, can not always be a good thing.... http://security.stackexchange.com/questions/18087/is-multiple-encryption-a-good-idea

  • And finally, as far as I could see, nothing was asked about SQL injection, on the other hand the intention was good

  • Friend, he requested a way to create a password that HACKERS did not hack and change, just completed that this solution of his would not be solved without a SQLINJECT! >> or a hash, to avoid hacking attacks << // This way I only informed that only encryption will not help. Read all please. And another, md5 and sha-256 yes is totally safe and unbreakable if well used! Obvil that an encryption apanas 1x or without a salt or a checksum there may be a database that has already saved that password as it exists today, but just know how to use it. I leave this site for reading:

  • I leave this site for reading on encryption from basic to advanced to be totally or almost totally secure: http://blog.thiagobelem.net/encryptando-passwords

  • link1 Link2 link3 All from the network itself

  • Exactly @Marcelobonifazio was what I said, if used wrong there are several databases to make Shock and perform all possible combinations. Therefore, salt or checksum + 2 or 3 different encryption is used. And of course, limits the attempt of access in 2 or 3 attempts and blocks by IP access for x time, in this case he would have to restart mold or restart the network every time the hacker would have to have a lot of time and will to access. Another one that I mentioned examples, it is possible to create the encryption itself and protect the file to the maximum.

  • This only generates a hash over hash. Following this "logic", generating 10 hash of the original would be safer, which makes no sense. I recommend password_hash.

  • In fact to protect against brute force attacks it becomes safer, even more if using different hash along with a salt! including password_hash can also be broken by brute force!

  • 3

    You posted the link of the blog as justification and the author himself justified that the post has problems http://blog.thiagobelem.net/encryptando-passwordspasswords passform-secure#comment-2315298464, out that strip_tags to avoid Sqlinjection makes no sense at all.

  • 1

    The intention to help is good, but unfortunately the effect is the opposite. You have learned wrong and are passing on wrong knowledge in critical matters. Here is the suggestion to take the opportunity and review the article: How to hash passwords securely

Show 6 more comments

Browser other questions tagged

You are not signed in. Login or sign up in order to post.