I am making a little webgame that has tasks and solutions, the solutions are solved by entering a code given to user after completion of a task. To have some security (against cheating) i dont want to store the codes genereted by the game in plain text. But since i need to be able to give a player the code when he has accomplished the task i cant hash it since then i cant retrive it.
So what is the most secure way to encrypt/decrypt something using python?
Exposing database IDs - security risk?
How can I let users run a script with root permissions?
Best way to sandbox Apache on Linux
Encryption is only really useful when someone enters a password to unlock it - if it remains unlocked (or the script has the password to unlock it), the encryption is pointless.
Secure hash and salt for PHP passwords
This is why hashing is more useful, since it is a one way process - even if someone knows your password hash, they don't know the plain-text they must enter to generate it (without lots of brute-force).
Check the signature on large data sets efficiently using JCA
I wouldn't worry about keeping the game passwords as plain-text.
Rails friendly url routing with open id
If you are concerned about securing them, fix up possibly SQL injections/etc, make sure your web-server and other software is up to date and configured correctly and so on..
Perhaps think of a way to make it less appealing to steal the passwords than actually play the game? For example, there was a game (I don't recall what it was) which if you used the level skip cheat, you went to the next level but it didn't mark it as "complete", or you could skip the level but didn't get any points.
How to implement web services on an embedded device?
Or look at Project Euler, you can do any level, but you only get points if you enter the answer (and working out the answer is the whole point of the game, so cheating defeats the playing of the game). If you are really paranoid, you could possibly use asymmetric crypto, where you basically encrypt something with
key A, and you can only read it with
key B... I came up with an similar concept for using GPG encryption (popular asymmetric crypto system, mainly used for email encryption or signing) to secure website data.
I'm not quite sure how this would apply to securing game level passwords, and as I said, you'd need to be really paranoid to even consider this... In short, I'd say store the passwords in plain-text, and concentrate your security-concerns elsewhere (the web applications code itself).
Passwords should be reduced to a hash.
This is a one-way transformation, making the password (almost) unrecoverable.. When giving someone a code, you can do the following to be actually secure.
. (1) generate some random string.. (2) give them the string.. (3) save the hash of the string you generated.. Once.. If they "forget" the code, you have to (1) be sure they're authorized to be given the code, then (2) do the process again (generate a new code, give it to them, save the hash.).
Where do you want the decryption to occur? One way or another, the plaintext has to surface since you need players to eventually know it.. Pick a cipher and be done with it..