SHA1 cracked .... What are the chances this will be addressed in LC?

Peter TB Brett peter.brett at livecode.com
Wed Mar 1 05:31:31 EST 2017


On 28/02/2017 15:46, Bob Sneidar via use-livecode wrote:
> Thanks for that Peter! I've been thinking about a way to encrypt data
> for storage in database systems for things like passwords and server
> credentials. Now to figure out how to decrypt it...

Hi Bob,

Never store user passwords in clear text, or in any encoding that can be 
reversed.  Both message digest algorithms and HMACs are intended to be 
*one-way* functions -- this is one of their important properties.

If you are handling passwords, then this is a pretty decent page with 
good guidelines on how to do it safely and securely:

https://www.owasp.org/index.php/Password_Storage_Cheat_Sheet

Note that the HMAC definition I posted earlier is a simplified version; 
it would probably be a good idea to have a library that provides the 
full spec described in https://tools.ietf.org/html/rfc2104

Also, I'm wondering whether to add an Argon2 or PBKDF2 implementation to 
the engine to help with this.

                                           Peter

-- 
Dr Peter Brett <peter.brett at livecode.com>
LiveCode Technical Project Manager

lcb-mode for Emacs: https://github.com/peter-b/lcb-mode




More information about the use-livecode mailing list