Generating SHAs the same way PhP would

Discussion in 'Plugin Development' started by Miles_, Jun 24, 2012.

Thread Status:
Not open for further replies.
  1. Offline


    Im attempting to create a plugin to register users on my website by simply typing /register [password] ingame and it records it in a mysql database, if this is really impossible I guess I could store the passwords in plain text but if possible I would like to not. Currently I have it generating them the wrong way somehow but the data is being recorded in the mysql database correctly. Sorry if I use a lot of terms the wrong way, I am relatively new to bukkit and java developement.
    My hash code (bukkit) :
    Random r = new SecureRandom();
                    byte[] salt = new byte[8];
                    MessageDigest md = null;
                    try {
                        md = MessageDigest.getInstance("SHA-256");
                    } catch (NoSuchAlgorithmException e1) {
                    try {
                    } catch (UnsupportedEncodingException e1) {
                    byte[] passwordb = md.digest();
                    String passwordc = new String(passwordb);
    The string passwordc is what I send to the mysql database.
    The PhP hash code:
    $salt = dechex(mt_rand(0, 2147483647)) . dechex(mt_rand(0, 2147483647));
            $password = hash('sha256', $_POST['password'] . $salt); 
    $password is sent to the mysql database. I have verified that both methods are sending data but the bukkit plugins hash looks completely different
    Both with the password lemon
    Bukkit: Password: dzS\A *?*E?? salt: {Y@
    PhP: password: c7f52442532f62b51384216f45b35f7054cb0eeccf89f8ff218e5a051672b04b salt: 51d7b6696ec3343d
    Could someone please explain how I would create a hash in java the same way as php. Thanks.
  2. bukkit: every letter respresenting 8 bits
    phhp: every letter represents 4 bits (hex)
  3. Offline


    Im no cryptographic expert, but doesnt the salt have to be a constant? Otherwise how are you going to compare two passwords generated with diffrent salts and see if the entered password is correct?
  4. Offline


    So how would I make the bukkit the same as php or would it not be possible?

    I always used the same password to create each salt and password hash and it seems like both the password hash and salt are different each time, but I really have no idea how a lot of it works.

    EDIT by Moderator: merged posts, please use the edit button instead of double posting.
    Last edited by a moderator: May 26, 2016
  5. Offline


    As far as i can remember you add the salt before you hash a password like this:

    Salt: 654321
    Password: TesT1234

    Then you add the salt to the password before you hash it like this.
    TesT1234654321 -> hash -> "hascode" -> store in db

    Then when a player tries to log in he enters his password:

    Entered password: TesT1234

    password+hash (TesT1234654321) -> hash -> "hashcode" -> compare this hash to the one in the database, if match correct password
  6. Offline


    Ok. The salt seems to be different for bukkit and php. Do you know how I would make them generate the salt and hash the same?
  7. Offline


    No sorry. As i said i dont know much about encryption, i have never worked with it only read some about it a few years ago and might very well be incorrect :)
  8. make the hash (salt*) static insie code or config, one generated, only chance is by chancing theconfig
  9. Offline


    I think Ill just store them in plain text or use some sort of extremely simple encryption system a little like Pig Latin.
  10. Offline


    What I would do is create a PHP script to add the user to the database and everything and have the plugin merely input that data to the script. If you need some example code I'll gladly show you some.
  11. Offline


    Generally salts are generated just once, when a new user is registered, and are stored alongside the username and hashed password. Then when a user tries to log in, the stored salt is used.

    I'm sure you're just kidding, but please please please don't store passwords in plain text.
    ferrybig likes this.
Thread Status:
Not open for further replies.

Share This Page