empty variable

Richard Gaskin ambassador at fourthworld.com
Fri Jan 3 16:59:19 EST 2020 

Inputs often pose a bigger risk than core dumps.

Where you ask:
"Any suggestions to make it as secure as possible?"

...we might instead ask:
"Any suggestions to make it as secure as *practical*?"

...or even:
"Any suggestions to make it as secure as *cost-effective*?"

There are always ways to make things more secure. The hard part is 
defining an appropriate level of effort relative to the importance of 
the secret.

Consider this scale of 1 to 5, in terms of how hard people work to keep 
things secret:

1. My app's reg code
2. A user-defined password
3. A user's social security number
4. Nuclear secrets
5. Trump's tax returns

If it's #1 I wouldn't spend more than half an hour thinking about it, 
for so many reasons covered in this list before.

#2 is worth spending some time on, but better hashed than encrypted.

#3 or above will require an understanding of the system to provide 
useful guidance.

-- 
  Richard Gaskin
  Fourth World Systems


JB wrote:
> That is a very interesting question!
> 
> If the user enters the password or did I hardcode a password
> so what follows can only be executed if it included the text I
> put into the variable.
> 
> I am in this case hardcoding it in myself.  This could be text
> that is encrypted but it is still there even before it is put into
> the variable and that means it is in memory.
> 
> Any suggestions to make it as secure as possible?
> 
> JB
> 
> 
>> On Jan 3, 2020, at 1:29 PM, Richard Gaskin via use-livecode <use-livecode at lists.runrev.com> wrote:
>> 
>> How does the password come into the variable?
>> 
>> --
>> Richard Gaskin
>> Fourth World Systems
>> 
>> JB wrote:
>>> What if I have secure info like a password stored
>>> in a local variable and then I clear that info by
>>> putting empty into that local variable.
>>> How secure is that procedure?  I understand a
>>> local variable does not retain the info after the
>>> code finishes but I am concerned about any
>>> info left in memory.
>>> In the c language to clear the memory you set
>>> all of the blocks to null.  That is because it is
>>> more secure than doing something like putting
>>> empty into the variable.
>>> So the question is when I put empty into a local
>>> variable I know when you access that variable it
>>> will return empty but if it has not been set to null
>>> then is it possible for someone to read the blocks
>>> of memory and get anything back.  In c if you set
>>> all of the blocks to null and not just the first block
>>> then you have eliminated the chance of someone
>>> recovering the info.  Is there a secure way to clear
>>> a variable in Livecode?
>>> JB
>>

More information about the use-livecode mailing list