Bringing in the notion of display name and password into HexHoot

In the initial versions of HexHoot, we had required users to click on a button to generate a random hexadecimal string as private key which would act as a combination of their display name as well as password. It was hard to explain this and help others understand how this worked as people are extremely used to the idea of having display names and passwords to log into services. Now, starting from v1.0.4, HexHoot features logging in or signing up using display name and password.

From this,
to this!

Does this mean that HexHoot is using a centralized server to enable authentication? Absolutely not. We just thought of a simple change that we could make that would let generating private key go into the background. Let me explain how.

Secure Hash Algorithm 2 (SHA-2) is a well known algorithm that can be used to hash a string to a hexadecimal value. For example, a string "HexHootLovesBATMAN" would yield a SHA-256 hash value of "d32b96b30a8954cc748b88dae00915c965bcf35d785243d0836bac46aa0cd0a3". This is a string that could be used as a private key to work with original versions of HexHoot. In other words, one could simply have a password field and generate a private key directly from it.

However, we did not stop there. There are several repositories online where different strings and their corresponding SHA hash values are stored. Hence, directly using this standard algorithm may not be the best thing to do. One way to go around this is to perform "salting".

In cryptography, "salting" is an interesting term used to say that the user input is concatenated with some random string defined in the software program so that the overall string size would increase and it is unlikely that there would exist a database with such an entry.

Additionally, to "ensure" that the display name and password are associated with each other, the password is effectively concatenated with the username, a separator and a couple of salt strings at either ends. Here is a peek into the function that does all this.

As you can see, the salt being used is not in Latin characters. Infact, most people would not find these characters on their keyboards. The salts are written in a language named Malayalam, which is spoken by about 35 million people hailing from Kerala, India, and I am one of them. And, we generally use QWERTY keyboard.


Popular Posts