Password protecting a data file... how to cope with forgotten password?

Peter M. Brigham pmbrig at gmail.com
Thu Jun 14 14:10:50 EDT 2012


I have an LC handler that uses sha1 to create an n-character alphanumeric string based on a hash of an input string and an optional individual password. I'm not a crypto expert, so I don't know how secure the result is but it may be useful to somebody. The handler is below, but I have omitted the guts of it since I don't want the full code archived on the web for access to the hackerverse. Anyone who wants the full script can email me offlist. The basic script could be modified to create your own variant. Basically the idea is to translate the sha1 string into low-ascii characters. Which per the ongoing discussion doesn't lose much in the way of security.

function getHashCode2 tString, tLength, tPassword
   -- returns a tLength-character alphanumeric string (up to 20 chars, default = 12)
   --   that is a hash of the input string,
   -- uses SHA-1 for high-end (though not perfect) cryptographic security
   -- allows adding a password as input so that the hash can be duplicated only
   --   with the correct password
   -- if tPassword is empty, the hash is stable and is dependent
   --   only on the content of tString
   
   if tLength = empty then put 12 into tLength
   try
      put sha1digest(tString & tPassword) into tDigest
   catch tErr
      put md5digest(tString & tPassword) into tDigest
      -- if version < 4.5.3
   end try
   put "0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ" \
                into codeChars
   put length(codeChars) into howManyCodeChars
   repeat with i = 1 to the number of chars of tDigest
      ... <snip> ...
   end repeat
   repeat with j = 1 to tLength
      ... <snip> ...
   end repeat
   return finalCodeString
end getHashCode2

-- Peter

Peter M. Brigham
pmbrig at gmail.com
http://home.comcast.net/~pmbrig

On Jun 13, 2012, at 9:47 AM, Richard Gaskin wrote:

> Some apartment buildings use locks which support a master key held by the landlord, so that the tenant keys will only unlock their own door but the master key will trip enough tumblers to unlock any door in the building.
> 
> In your case, having a single hard-wired master key as an "OR" in your script might be too dangerous; anyone you send the master key to would then be able to unlock any such stack, no only their own.
> 
> But perhaps the key you send them would be a hash of some fixed salt string, the user name, and the date - it would then only work when applied to the user's stack (assuming their user name is stored somewhere in it), and only on the date you send it.
> 
> 
> General tip for anyone using hashes:
> 
> MD5 has been known to be theoretically crackable for some years, and this has become a reality as noted in recent news:
> 
>   MD5 password scrambler 'no longer safe'
> 
>   Summary: The MD5 password hash algorithm is “no longer considered
>   safe” by the original software developer, a day after the leak of
>   more than 6.4 million hashed LinkedIn passwords.
> 
> <http://www.zdnet.com/blog/security/md5-password-scrambler-no-longer-safe/12317>
> 
> Fortunately RunRev is on top of things, and several versions back added an alternative hash function, "sha1Digest", which is generally considered to be a more secure option.
> 
> So if any of your code is still using the older "md5Digest" function, it may be a good time to migrate to "sha1Digest".
> 
> --
> Richard Gaskin
> Fourth World
> LiveCode training and consulting: http://www.fourthworld.com
> Webzine for LiveCode developers: http://www.LiveCodeJournal.com
> Follow me on Twitter:  http://twitter.com/FourthWorldSys
> 
> _______________________________________________
> use-livecode mailing list
> use-livecode at lists.runrev.com
> Please visit this url to subscribe, unsubscribe and manage your subscription preferences:
> http://lists.runrev.com/mailman/listinfo/use-livecode





More information about the use-livecode mailing list