Closed sgdc3 closed 4 years ago
Linked comment:
hi, i send this comment for an idea , i am a webmaster and in my website i use an custom hash method like: sha1(md5(username)+'text'+md5(password))
i would like to know if for an other version of authme it can be possible to add an "Custom crypt" method, and in the cofing file we choose what we want to put
(actualy i have created a new class for my crypt method) but when there are a new version i need to update all )
thanks for your answer cordialy
One possiblity would be a config setting with the full class name, e.g.:
customCrypt: 'com.example.crypts.CustomCrypt'
Then the class just needs to be present during class loading.
From a security standpoint I wouldn't recommend using custom hashes, though. The one mentioned in the comment ought to be replaced with Bcrypt or so. Custom hash is a bad idea, unless it's for hooking into some other system.
Hmm, thinking about this and @sgdc3's comment he linked. Some API call would ensure the class is already loaded. Not too familiar how classes are loaded... but essentially it depends how that custom class can be added. It's not as simple as dropping the java file into the JAR's crypt folder :P
Never heard of this request again and a homebrew hash method is, as we know, a bad idea. Our BCRYPT hash algorithm works well with PHP's password_hash() so that should be ~sufficient~ preferred.
Otherwise -> listen to & modify PasswordEncryptionEvent
http://dev.bukkit.org/bukkit-plugins/authme-reloaded/?comment=6616 http://dev.bukkit.org/bukkit-plugins/authme-reloaded/?comment=6618