Question about "that thing you key in that's not a user name when you're logging in"

Alex Tweedly alex at tweedly.net
Wed Dec 30 19:28:56 EST 2015


Some people dislike that method because it lets an attacker 'guess' a 
username separately from password; there is (arguably) more security in 
having the attacker be unable to tell which one didn't match.

Personally, I don't know enough to have an opinion - certainly not 
enough to listen to my own opinion :-)

-- Alex.


On 30/12/2015 23:52, Bob Sneidar wrote:
> What I do (and I have seen this in other login systems apart from LC) is I have a User Name field and a Login button. When clicked it will check a database of user names and balk if it cannot find the user. It then uses Ask Password, encrypts it using a seed value only I know, compares it with the stored encrypted value, and proceeds or declines based on if it matches.
>
> Bob S
>
> On Dec 30, 2015, at 15:04 , J. Landman Gay <jacque at hyperactivesw.com<mailto:jacque at hyperactivesw.com>> wrote:
>
> On 12/30/2015 5:18 AM, Richmond wrote:
> one thing that is very odd is 'mcEncrypt';
>
> firstly because it maybe the only thing in LiveCode that
> betrays LiveCode's ancestry in MetaCard,
>
> It was part of the original MC 1.0 and was used only internally to encrypt the entry from an ask dialog. The encrypted form was returned to the script. There was no way to obtain the original unencrypted text entry.
>
> and
>
> secondly because the Documentation (7.1) tells us
> nothing beyond that it is 'Reserved for internal use'.
>
> That 'Reserved' is all jolly well and good, but made
> me feel a bit strange having read the entry for
>
> "ask p_assword" [there's another way of getting round things, even if,
> for Americans,
> it might seem a bit 'fruity']
>
> where it says:
>
> 'get mcEncrypt(it)'
>
> At some point the dialog behavior changed and the engine now returns only the raw text. It is now necessary for the script rather than the engine to handle the encryption if that's desired. When the behavior changed, mcEncrypt was made public and put into the dictionary.
>
> --
> Jacqueline Landman Gay         |     jacque at hyperactivesw.com<mailto:jacque at hyperactivesw.com>
> HyperActive Software           |     http://www.hyperactivesw.com<http://www.hyperactivesw.com/>
>
> _______________________________________________
> use-livecode mailing list
> use-livecode at lists.runrev.com
> Please visit this url to subscribe, unsubscribe and manage your subscription preferences:
> http://lists.runrev.com/mailman/listinfo/use-livecode





More information about the use-livecode mailing list