I have:
  • Open source lua script that runs locally on the user's machine and works with sensitive data(passwords, logins from game accounts)
  • The recent merging of one of the script developers under the same platform as me.(he just merged user json with passwords into the network)

How to encrypt user passwords so that they can then be decrypted to the source string?
Salt can be stolen(since the open source script), how to generate it dynamically, and most importantly, to store, salt is also not an option, the algorithm will be stolen.

One option is encryption on the side(server), but there are two problems:
  • The script does not pay for itself and is completely free, there is no money for the server
  • Users are unlikely to trust external encryption.

4 Answers 4

No way(with this formulation of the problem)
  • And if there is a server? – Hungry23 Sep 21 '19 at 19:16
  • Hungry23, As long as you have this type of question - you don’t need to write anything that real people will use

    When you have answers to all such questions, you can offer people your software after it has been reviewed by a dozen well-known specialists in the field of cryptography
    – Disney's88 Sep 21 '19 at 20:24
  • Hungry23, if there is a server, you won’t get such questions.
    There you can make an API, check hashes, write tokens, and much more.
    – Concerned44 Sep 21 '19 at 22:38
How to encrypt user passwords so that they can later be decrypted to the source string?

Passwords should not be decrypted, you must store a password hash and only have a hash from the user.If the hashes are equal, the user entered the password correctly.
  • Passwords are used to send authentication to the server;they must be transmitted in the form of a line. – Hungry23 Sep 21 '19 at 19:41
  • Hungry23, then do not store the password anywhere, the user entered - you logged in to them where necessary and forgot this password – Glowing Squirrel Sep 21 '19 at 19:57
  • Glowing Squirrel, the bottom line is to remember it and automatically enter it with every login. – Hungry23 Sep 21 '19 at 20:16
  • Hungry23, well...then store it encrypted on the user's machine, and select a parameter tied to a specific hardware as a cipher, for example, a poppy address or something else. – Glowing Squirrel Sep 21 '19 at 20:18
  • Glowing Squirrel, this is the problem, the algorithm will be stolen, because open source, and another script-styler will decrypt and pull it to itself – Hungry23 Sep 21 '19 at 20:24
  • Hungry23, the algorithm is dragged away, and how do they recognize the password of my computer on which the password was encrypted? And for each network card it is(theoretically) unique. – Glowing Squirrel Sep 21 '19 at 20:25
  • Glowing Squirrel, both scripts work on the same computer, just as I recognize the poppy, so does the styler recognize it – Hungry23 Sep 21 '19 at 20:41
  • Hungry23, in this case there is no solution, either close the source, or you need your own server to store the necessary data – Glowing Squirrel Sep 21 '19 at 20:43
0.Learn the basics.To start a wiki, though b
it will allow you not to write such nonsense
Salt can be stolen(since the script is open source), dynamically generated, and most importantly stored, salt is also not an option, the algorithm will be stolen.

1.Find recognized industry leaders.They all have btw open source code
2.Read their code
3.Take a couple of three crypt courses
  • Maybe you have some good suggestions? And in what particular place in the zero point did I write nonsense? – Hungry23 Sep 21 '19 at 22:31
  • [[Akionka]],
    What signs of a cryptographic system are known to you?
    – Disney's88 Sep 22 '19 at 00:35
  • [[sim3x]], what does it have to do with it? – Hungry23 Sep 22 '19 at 00:36
  • [[Akionka]], Basic Theory.Walks in 1-2 lessons – Disney's88 Sep 22 '19 at 00:46
  • [[sim3x]], and why do I need this information? Though crypto-resistant, even crypto-resistant, while computing on the user’s side will steal everything – Hungry23 Sep 22 '19 at 00:49
  • [[Akionka]],
    Without a minimum base, you will not be able to understand the tips that will give you
    – Disney's88 Sep 22 '19 at 01:00
The script does not pay for itself and is completely free, there is no money for the server
No money for the server? Is that so expensive? Or for you the server is a kind of rack hardware from a vendor for 5 thousand dollars? As a server, you can use the old D-link router purchased on occasion at a flea market for 200 rubles.

Users are unlikely to trust third-party encryption.
And what sadness is for users? They are generally what side to this? They told you the password - and what you do there with it, they don’t know at all.