Is there a guide for doing it with the crystal files?
It honestly, not joking, makes me uncomfortable when I click accounts as see peoples passwords and know they are not stored securely....and this is just on a server thats not live yet.
@Far have you thought about importing in zircons account management into crystals? or adding a connected account management system (facebook? google?) I honestly would not know where to start but if its embedded into the default files it would become less of an issue?
I don't know of any guide but it shouldn't be too complex to do. Instead of saving the password in plain text, you use one the C# hash functions hashFunction(password) and it'll return the hashed password which you save. For extra security you can add salt that password with an unique salt for every user or the same for everybody. Let's say you use "hello" as a salt for everybody. You concat the user password with hello and hash it.
Then when the user logs in you have to do the same thing again. You concat his password with hello and check the hashed password against the hashed password stored in your db. If it matches, the password is correct and the user logs in. If you want a unique hash for every user, you need to save it in the user db. For extra security it can be something like the timestamp and a random number/string.
A hash is a one way encryption algorithm so there's no way you get a hash and revert it to the original password. There are some databases with hashed password that's why the salt is important, so no matter what, your hashed password will always be different from others.
RNGCryptoServiceProvider Class (System.Security.Cryptography)
Implements a cryptographic Random Number Generator (RNG) using the implementation provided by the cryptographic service provider (CSP). This class cannot be inherited.
docs.microsoft.com
What would be the point in hashing passwords in crystal?
It's open source. You host a server. Change your own code to not hash the passwords.
Now you have people's passwords again.
Sent from my SM-G930F using Tapatalk
Most server owners don't have bad intentions and they don't want your password. So what will change? Well, things like the Olymp data base leak won't happen. And if it happens, it won't really matter because passwords are hashed.
That why every open source project out there has hashed password. Even though you should always use different credentials.