Hackable?

If I made a plugin which stored the players name and password in a db file to provide secure accounts, would players be able to hack into the file or get around the method?

If you store passwords as plain text then if server gets hacked or compromised then yes its a possibility.

you should do something like this

Code:

$salt_left="some secret test"; // maybe even get it from config on server so person can salt it them self
$salt_right=="some secret test"; // maybe even get it from config on server so person can salt it them self
md5($salt_left.$password.$salt_right);

//to check if password is same just do 
if (md5($salt_left.$password.$salt_right) == $db_password){
return true;
}else{
return false;
}

salting a password and encrypting it is standard for most things these days with out salt you can still crack passwords by comparing them with know md5 hashes

Can players get into the oped players file because I think that happened to me before.

well crypt, md5, sha256, each to own they all still work fine, its really personal choice and if you cant use crypt functions due to shared hosting or other issues then your out of luck that is why salted md5 is still the standard for hashing passwords.

again is personal preferance

http://php.net/manual/en/function.password-hash.php

is better the crypt()

What would be the best way to prevent the server getting hacked then?

dotn use root user complex passwords sanitise all user input etc etc

id rather make my own algorithm then

I use whirlpool and gost for hashing my passwords.

what is bin2hex()?

Um... A function that converts raw binary data to raw hexadecimal data... What does that have to do with anything?

idk, will im just curious since simpleauth uses this.

It converts a binary string to a human-readable string. For example, "\x00" to "00".

@Tethereed_ theoretically, nobody can read the files inside your machine unless you let them to. But still, saving passwords in plaintext will make the server owner see everything, which we all hate.

no privacy

That makes sense. Better security for everyone I guess.

you could always use AES 256 encryption to do passwords

to be honest any password is crackable

keep in mind even though md5 is old way of doing it md5 ALONE is not recommended this is why people salted them as you would need to know salt depending on how complex your salt was would make it hard to easy to crack it, again I personally dont use it just for passwords i use it to hash my keys that are used in encrypting my passwords I doubt anyone with out a super comupter would be able to crack any of it

its ok im not superstitious