Differences between Commercial and Community versions of LiveCode
Tom Glod
tom at makeshyft.com
Wed Jun 6 15:10:58 EDT 2018
thanks for that reply mark........totally hear you on that........ my
application works fully on 1 local machine......I will have a central
registration server, but it will be optional. So everything is on a local
drive or on a server on a lan. my task is to follow standards and add to
the pain in the ass level for anyone who wants to play hacker.
on top of using aes 256 encryption and making the user type in a password
to unlock the data. salts are useful in that .... on a single machine.
but they become problematic with software upgrades or fixes like you said.
i don't currently use a hardcoded salt..... but i generate a salt from
unique data that binds to the password and the user.
your participation in these topics is much appreciated. cheers
On Wed, Jun 6, 2018 at 1:40 PM, Mark Waddingham via use-livecode <
use-livecode at lists.runrev.com> wrote:
> On 2018-06-06 18:09, Tom Glod via use-livecode wrote:
>
>> what if for example you want to hard code a hash salt into your code?.....
>> if the code is readable, then so is the salt. I would vote for unreadable
>> code 100% of the time.
>>
>
> Technically even if the code isn't readable, then the salt will still be
> there - all you are doing is making it more difficult for relatively
> unmotivated individuals to get at it. Which perhaps doesn't help much, as
> the unmotivated are probably not the ones who are going to cause any
> problems.
>
> The only way to truly protect secrets is for no-one to see them and to
> only transmit and store them in an encrypted way, where unlocking them is
> tied to a secret the end-user has - e.g. user account / password login.
>
> Certainly if there is a server involved in your app somehow, and if you
> control that server then you are far better off making the server the
> 'keeper of the secrets' because then *you* have control - its much easier
> to delete a record from a server then it is to force all your users to
> reinstall a new version of your app because a secret contained within it
> has been compromised.
>
> Warmest Regards,
>
> Mark.
>
> P.S. I realize that sometimes storing secrets in distributed apps is the
> 'only' way - but always think to see if there is a way to avoid it if you
> can.
>
> --
> Mark Waddingham ~ mark at livecode.com ~ http://www.livecode.com/
> LiveCode: Everyone can create apps
>
>
> _______________________________________________
> use-livecode mailing list
> use-livecode at lists.runrev.com
> Please visit this url to subscribe, unsubscribe and manage your
> subscription preferences:
> http://lists.runrev.com/mailman/listinfo/use-livecode
>
More information about the use-livecode
mailing list