I suggest the (client/server) implementation of this new dialog style, which is basically DIALOG_STYLE_PASSWORD, but returning an already bcrypt-hashed string in the inputtext argument: the server has access to the unhashed password, but not in the script.

Yes, the server scripter could still access the plain text password by using plugins that intercept the data sent between the server and the client, but the goal is not to prevent him to do so, but to promote the hashing of passwords out of the box.

The client-side dialog interface should show a "trusted" icon (or anything similar), with a tooltip appearing on mouse hover, telling the user that his password is secure.

(2019-04-30, 08:03 AM)Sasino97 Wrote: Yes, the server scripter could still access the plain text password by using plugins that intercept the data sent between the server and the client,

If the client already sends a hashed password, then there would be no way to access it.
Good idea, but if it's possible to re-create that icon in the corner, you could fake a secure password and make the players think that they're inputting a safe password.

This could actually be enforced on the server as well.

I think he means, that it is encrypted within O-MP before it is passed to the script. Therefore it forces server owners to use already encrypted passwords.
As much as I like this, it would mean that there would have to be a way to pass a salt as well as the password to the gamemode
and also allow some global way to set the pepper.

(2019-05-01, 03:52 PM)JustMichael Wrote: I think he means, that it is encrypted within O-MP before it is passed to the script. Therefore it forces server owners to use already encrypted passwords.
As much as I like this, it would mean that there would have to be a way to pass a salt as well as the password to the gamemode
and also allow some global way to set the pepper.

Well, there's no salt problem if we use bcrypt, since it stores the digest and the salt in the same string.

(2019-05-01, 02:36 PM)hual Wrote: This could actually be enforced on the server as well.

Yes true, but only if the encryption is made client-side, which is actually a good idea. 

(2019-04-30, 02:27 PM)BloodMaster Wrote:

(2019-04-30, 08:03 AM)Sasino97 Wrote: Yes, the server scripter could still access the plain text password by using plugins that intercept the data sent between the server and the client,

If the client already sends a hashed password, then there would be no way to access it.
Good idea, but if it's possible to re-create that icon in the corner, you could fake a secure password and make the players think that they're inputting a safe password.

In the optic of creating a totally customizable open.mp, yes that's true, but it would be no easy task to reproduce it perfectly.