Password protecting a data file... how to cope with forgotten password?

Tereza Snyder tereza at califex.com
Wed Jun 13 08:45:28 EDT 2012 

Hi Kay C,

You were right when you said I work on a Mac, though the application in question has to work in Windows, too. I suspect there’s some kind of registry magic that will do the equivalent in Windows. I decided to duck the issue for now and store the data in the user documents and/or ASUP accompanied by stern warnings in the documentation.

However, I’m definitely storing away this response for later use. Security and privacy, while not very important to me personally, are becoming bigger and bigger issues for my clients. While I hate remembering and storing and retrieving and inventing passwords, they apparently feel vulnerable unless they’re asked for one at every turn.

I look forward to a future version of LiveCode where we might have a couple of system authentication functions we can apply without deep expertise in OS arcana.

Thanks again,

tereza


On Jun 13, 2012, at 2:34 AM, Kay C Lan wrote:

> Tereza,
> 
> Curiosity got the better of me so I gave the Security command line + LC a
> whirl and it was extremely easy.
> 
> After manually creating a dummy 'generic' account (not Internet, also
> called application) in Keychain Access = dummyAcct, with Password =
> password, I created a new main stack with one button and one field. In the
> button:
> 
> on mouseUp
>   put empty into fld 1
>   put "security find-generic-password -a 'dummyAcct' -g" into tStore
>   put shell(tStore) into tStore2
>   put line 1 of tStore2 into fld 1
> end mouseUp
> 
> I was expecting the OS to give me a prompt for the OS User Password; I got
> an OS prompt, but it was just a caution that one app (Security) was trying
> to access another app (Keychain) and did I wish to allow it. Clicking Allow
> let the script proceed - no OS User Password needed.
> 
> As pointed out, this is dangerous and could mean a non-intended user
> sitting at the computer could obtain the application password.
> 
> So, as a safer alternative, you could, when the user first opens your app
> and has to set a password, use Security + LC to store a copy in Keychain.
> Then if the user forgets their password you could open Keychain for them,
> then provide a prompt advising them that it's stored in Keychain and they
> can retrieve it there - if it were me the prompt would include very
> specific instructions on how to find your application password in Keychain
> and conclude with a statement 'Do not click the Proceed button until you
> have successfully retrieved your Password'. Obviously the prompt would
> include a Cancel and Proceed btn, clicking Proceed would bring up a new
> prompt to enter their Password.
> 
> In Keychain the only way you can view passwords is by the User entering
> their OS User Password thereby preventing any casual user from access.
> 
> Sorry Bill for not suggesting using InfoWallet ;-(
> 
> HTH
> _______________________________________________
> use-livecode mailing list
> use-livecode at lists.runrev.com
> Please visit this url to subscribe, unsubscribe and manage your subscription preferences:
> http://lists.runrev.com/mailman/listinfo/use-livecode

More information about the use-livecode mailing list