encrypt storage

Richard Gaskin ambassador at fourthworld.com
Thu Feb 5 12:38:56 EST 2015

Bob Sneidar wrote:

 > No I am encrypting the password using the encrypt command before
 > storing it in mySQL.

Does the system handle authentication, or is it just storing the 
password for some other system?

If the password will be decrypted on the server (as Mark Wieder is 
probably typing a reply to this as I'm writing <g>) if the server is 
compromised then all of the passwords become compromised along with it.

It seems more common to never store any passwords on a server system, 
instead storing only a (preferably salted) hash of the password 
(hopefully something stronger than LC's built-in sha1; Mark Smith's lib 
contains a function for sha256).

Incoming passwords are then hashed with the same salt to determine a 
match to the server store, and discarded from memory once authenticated.

This way if the server is compromised it'll take serious effort to 
reproduce the passwords.  With sha1 it can take a little as 49 minutes 
(see first link below), and with sha256 it may take years.

The downside to this approach is that passwords can only be reset, but 
never recovered.

The upside to this approach is that passwords can never be recovered. :)

Whenever I come across a system that lets me recover a password instead 
requiring me to reset it, I stop using it immediately.

Scary background on encryption, hashing, and crack times:





PS: There's a request for sha256digest in the RQCC:

  Richard Gaskin
  Fourth World Systems
  Software Design and Development for the Desktop, Mobile, and the Web
  Ambassador at FourthWorld.com                http://www.FourthWorld.com

More information about the Use-livecode mailing list