SHA1 cracked .... What are the chances this will be addressed in LC?

Bob Sneidar bobsneidar at iotecdigital.com
Wed Mar 1 10:37:33 EST 2017


Hi Peter. Very informative thank you. In the example, 

[protected form] = [salt] + protect([protection func], [salt] + [credential]);

It looks like they are saying to prepent the salt prior to the protect function (in the case of LC that would be encrypt) but if someone got access to the SQL database, wouldn't that give part of the secret away? Isn't the salt value a way to further obscure the credential, making something like a hash table more difficult? 

I use a salt value that only I know, and I password protect the stack that uses it. Seems to me that prepending the salt to the protected form is like giving someone my user name but not my password. The other team is starting on the 50 yard line (in American sports vernacular). 

Bob S


> On Mar 1, 2017, at 02:31 , Peter TB Brett via use-livecode <use-livecode at lists.runrev.com> wrote:
> 
> If you are handling passwords, then this is a pretty decent page with good guidelines on how to do it safely and securely:
> 
> https://www.owasp.org/index.php/Password_Storage_Cheat_Sheet





More information about the use-livecode mailing list