HomeWildfire Games

Additional entropy when hashing match passwords.


Additional entropy when hashing match passwords.

The purpose of our client-side hashing for lobby game passwords is to prevent malicious hosts from getting valuable passwords from clients (e.g. accidentally typing their lobby password instead of the game, or even their email password, etc).
However, the hashing was deterministic (and rather simple), making it possible to compute rainbow tables and recover user passwords anyways.

By adding more variation, including some that cannot so easily be controlled by the host (the client name), this becomes impractical. The password hashing function used is rather fast, but given the base low probability of mistypes, this seems fine.

Differential Revision: https://code.wildfiregames.com/D3459