SafeWallet
Bob Sneidar
bobs at twft.com
Thu Sep 27 13:54:16 EDT 2012
You may misunderstand me. I don't mean there should be a way to change it if you don't know it. I would call that a reset. I mean there should be a way to change it given that you DO know the old password. The option to reset the password if it is forgotten is wrought with problems, but with certain applications may be necessary.
The only way I can see to implement it is to be able to contact the developer who has personal information that the user submitted when registering the app. The developer would need the ability to unlock the app and reset the default admin password without being able to get to the data.
Of course it all depends on the app, and the nature of the data being stored. It might not be worth it. On the other hand, if it were an accounting app with the last 10 years of accounting data in it, and a disgruntled IT guy locked you out as he was leaving, you would definitely need a way to recover.
Bob
On Sep 27, 2012, at 10:42 AM, Andre Garzia wrote:
> On Thu, Sep 27, 2012 at 1:25 PM, Bob Sneidar <bobs at twft.com> wrote:
>
>> This should be a lesson to all developers. ALWAYS give users a way to
>> change their password.
>
>
> Bob,
>
> I don't think this is true. If the encrypted information is sensitive then,
> in my humble opinion, having a way to change their password without
> providing the current one is a security vulnerability. I think that the
> convenience of being able to forget the password you set is not worth the
> risk of somebody else getting the data by doing the same procedure.
>
> Of course this only holds for sensitive data for common stuff then this is
> more than reasonable and desired. For example, if my browser bookmarks are
> encrypted, having such feature would be great but if we're talking about an
> app that collects stuff as sensitive as my credit card passwords then
> nothing should ever touch that without the password.
More information about the use-livecode
mailing list