Search Unity

  1. Improved Prefab workflow (includes Nested Prefabs!), 2D isometric Tilemap and more! Get the 2018.3 Beta now.
    Dismiss Notice
  2. The Unity Pro & Visual Studio Professional Bundle gives you the tools you need to develop faster & collaborate more efficiently. Learn more.
    Dismiss Notice
  3. Improve your Unity skills with a certified instructor in a private, interactive classroom. Watch the overview now.
    Dismiss Notice
  4. Want to see the most recent patch releases? Take a peek at the patch release page.
    Dismiss Notice

Can password_hash & password_verify be used in Unity?

Discussion in 'Scripting' started by OldRod, Jun 15, 2018.

  1. OldRod

    OldRod

    Joined:
    Mar 2, 2009
    Posts:
    118
    I have a website with a login/registration system built in PHP that uses password_hash and password_verify to encrypt and verify passwords. Everything works fine on that end.

    Now I want players to be able to log in from my Unity project as well, using the same username/password that they can use from the website. I am getting the username/password from a Unity UI form and sending the password from Unity to a PHP script but I want to encrypt it before I send it (so it's not sent as plain text). The problem is, I can't figure out how to use the PHP functions password_hash and password_verify in c# in Unity?

    Is there an example somewhere that shows this?

    Of is it even possible? If not, is there a good, secure way to hash passwords in both Unity and PHP that produces the same result?

    Thanks!
     
  2. Hosnkobf

    Hosnkobf

    Joined:
    Aug 23, 2016
    Posts:
    392
    in the namespace "System.Security.Cryptography" you can find a lot of hashing algorithms. But the ones described here are not part of .Net/Mono or Unity AFAIK.
    Maybe this library helps you: http://www.bouncycastle.org/csharp/

    Anyways: It is not so important to hash the passwords when sending... because a man in the middle wouldn't need the plain password anymore to login, it would be enough to grab the hash instead. The only benefit is that the thief doesn't know the actual password the user was typing, but he can do the same on your backend anyways.

    Therefore it is more important to have a secure connection. You should SSL-encrypt your end point (e.g. with "Let's Encrypt") and store a key in your app to open the connection. This way the man in the middle would need to get the key before stealing other data.
     
  3. OldRod

    OldRod

    Joined:
    Mar 2, 2009
    Posts:
    118
    Thank you, I'll check that library out