SHA1 cracked .... What are the chances this will be addressed in LC?
Peter TB Brett
peter.brett at livecode.com
Wed Mar 1 05:31:31 EST 2017
On 28/02/2017 15:46, Bob Sneidar via use-livecode wrote:
> Thanks for that Peter! I've been thinking about a way to encrypt data
> for storage in database systems for things like passwords and server
> credentials. Now to figure out how to decrypt it...
Hi Bob,
Never store user passwords in clear text, or in any encoding that can be
reversed. Both message digest algorithms and HMACs are intended to be
*one-way* functions -- this is one of their important properties.
If you are handling passwords, then this is a pretty decent page with
good guidelines on how to do it safely and securely:
https://www.owasp.org/index.php/Password_Storage_Cheat_Sheet
Note that the HMAC definition I posted earlier is a simplified version;
it would probably be a good idea to have a library that provides the
full spec described in https://tools.ietf.org/html/rfc2104
Also, I'm wondering whether to add an Argon2 or PBKDF2 implementation to
the engine to help with this.
Peter
--
Dr Peter Brett <peter.brett at livecode.com>
LiveCode Technical Project Manager
lcb-mode for Emacs: https://github.com/peter-b/lcb-mode
More information about the use-livecode
mailing list