Upgrading your Matrix (or any revision) password security

Password encryption is a very important aspect of running a runescape private server, you should always encrypt your data and be as secure as possible even if you do not have a large server as it shows respect for your player's data. Consider it was you in their shoes, you use that password for everything then some dumbass gets their database leaked and boom your info was just out there in the open for everyone to see.

The reason I am creating this tutorial is so many who don't have encryption or use it can start using it and the people using SHA-1 which was good back in 2012 I guess have a higher standard for security in their servers. Most common public sector anti-hash algorithm tools such as crackstation have already defined many of the sha-1 common dictonary passwords and number combinations using GPUs but have yet to include SHA-256 bit encryption keys as it is a very big leap (kinda like SHA-0 -> SHA-1).

In short if you value your players and are not a complete retard you will take the time to add better security to your server as this is spoon fed directly to you, for those using different sources the code changes shouldn't be that different from what I am providing you now. Credits are in the code but just a shoutout to this thread on Crackstation for the great encryption code which I only edited a very small way to benefit my needs - All creds to them.

STEP 1: Adding the PasswordHash class to your server...

[Only registered and activated users can see links. Click Here To Register...]

STEP 2: Adding the changes to your LoginPacketsDecoder.java

Code:

---

if (sha1Encryption.length() == player.getPassword().length()) {
                if (sha1Encryption.equalsIgnoreCase(player.getPassword())) {
                    player.setPassword(password);
                    SerializableFilesManager.savePlayerByName(username);
                } else {
                    session.getLoginPackets().sendClientPacket(ERROR_LOADING_PROFILE);
                    return;
                }
            }
            if (!PasswordHash.validatePassword(password, player.getPassword())) {
                session.getLoginPackets().sendClientPacket(INVALID_PASSWORD);
                return;
            }

---

Add that in where your old method of checking the password was then change

password = Encrypt.encryptSHA1(password); to String sha1Encryption = Encrypt.encryptSHA1(password); //OLD ENCRYPTION METHOD...

Then restart your server and it should work, change INVALID_PASSWORD, ERROR_LOADING_PROFILE with the number 3 and 20 respectively (3 = invalid login/password)

Hope you enjoy and get use out of this tutorial XD - If I left anything out or you need any help just tell me and I will do my best to give you a hand. I am quite new to this but trying to help out and share the knowledge I learned, if you want to learn it straight from the source read this [Only registered and activated users can see links. Click Here To Register...]

************* EDIT: I FORGOT SOMETHING

This is my setPassword method in Player.java if you use the above code to the letter then you will need this aswell, those of you who understand can just change the code above instead of this.

Code:

---

        public void setRawPassword(String password) {
        this.password = password;
    }

    public void setPassword(String password) {
        String newPassword = PasswordHash.createHash(password);
        //Validates the password being correctly hashed. (Even though theres no way this can fail)
        if (!PasswordHash.validatePassword(password, newPassword))
            return;
        //Sets the password.
        this.password = newPassword;
    }

---

REMINDER: Please remember you need to change the changepassword commands or whatever did the old way of Encrypt.encryptSHA1 because it will just set your players passes back to the SHA1 encryption and not use the new one you installed so remember to do that aswell!

I would just like to include on the main post, in the words of Velocity the difference between this and actual encryption. You cannot reverse these hashed passwords.

Quote:

---

Originally Posted by Velocity [Only registered and activated users can see links. Click Here To Register...]

the difference between the two is basically this:
if i encrypt your face a surgeon can repair it to how it was before i hit you
if i hash your face god have mercy on the outcome and if you're in bad luck it looks like the face of savions after i messed it up as they can give collisions : - )

i hope you understand it's not interchangeable :)

---

Neat!

fk encryption men, i removed tht sheet

OT: Good job, might implement later

And you can still use multi-level encryption with unique keys. So your server will have it's own encryption and no "cracker" will decrypt.

Please don't use hashing and encryption interchangeably.

Quote:

---

Originally Posted by Vincent [Only registered and activated users can see links. Click Here To Register...]

Please don't use hashing and encryption interchangeably.

---

Care to elaborate?

Quote:

---

Originally Posted by User [Only registered and activated users can see links. Click Here To Register...]

Care to elaborate?

---

They are very different things. Encryption is reversible with the correct key. Hashing is not.

Quote:

---

Originally Posted by Vincent [Only registered and activated users can see links. Click Here To Register...]

They are very different things. Encryption is reversible with the correct key. Hashing is not.

---

I don't believe you can reverse what I provided? That's not a reversible key its a hashing algorithm just written by someone who knows more about encryption than nick when he did that Mx1 encryption, even that one was still secure because SHA-1 collisions are for the most part unheard of and I don't think anyone has actually proven it being done yet just theories this version is even more so because if you try to "decrypt"/lookup one of these hashes on all of the websites that offer that service to the public, none will come back with a positive result. So I asked you to elaborate on your comment "Please don't use hashing and encryption interchangeably." because I do not understand why you posted that.

Quote:

---

Originally Posted by User [Only registered and activated users can see links. Click Here To Register...]

I don't believe you can reverse what I provided? That's not a reversible key its a hashing algorithm just written by someone who knows more about encryption than nick when he did that Mx1 encryption, even that one was still secure because SHA-1 collisions are for the most part unheard of and I don't think anyone has actually proven it being done yet just theories this version is even more so because if you try to "decrypt"/lookup one of these hashes on all of the websites that offer that service to the public, none will come back with a positive result. So I asked you to elaborate on your comment "Please don't use hashing and encryption interchangeably." because I do not understand why you posted that.

---

That's exactly what I mean... It's a hashing algorithm you can not just reverse it. Yet you keep calling it encryption, which is something completely different.

Quote:

---

Originally Posted by Vincent [Only registered and activated users can see links. Click Here To Register...]

That's exactly what I mean... It's a hashing algorithm you can not just reverse it. Yet you keep calling it encryption, which is something completely different.

---

Yes. I might add that colloquial irregularities occur frequently in any language. Since you and the rest of the people that have read and will read this thread understood perfectly my intended meaning, being particular about the distinctions between "encryption" and "algorithm" is purely pedantic and arguably pretentious.