SHA1 cracked .... What are the chances this will be addressed in LC?

Peter TB Brett peter.brett at
Wed Mar 1 11:01:40 EST 2017

On 01/03/2017 15:37, Bob Sneidar via use-livecode wrote:
> Hi Peter. Very informative thank you. In the example,
> [protected form] = [salt] + protect([protection func], [salt] +
> [credential]);
> It looks like they are saying to prepent the salt prior to the
> protect function (in the case of LC that would be encrypt) but if
> someone got access to the SQL database, wouldn't that give part of
> the secret away? Isn't the salt value a way to further obscure the
> credential, making something like a hash table more difficult?
> I use a salt value that only I know, and I password protect the stack
> that uses it. Seems to me that prepending the salt to the protected
> form is like giving someone my user name but not my password. The
> other team is starting on the 50 yard line (in American sports
> vernacular).

The idea of a password storage scheme is to make it extremely costly for
an attacker to recover the original passwords, even given _total_ 
information about the scheme.  When evaluating a scheme, you should 
always assume that if someone has got access to your password database, 
they have also got access to anything else on that server or any server 
connected to it -- potentially including your secret salt.

By appending the salt to the front of the protected form, you can use a
different salt for every single password in your database.  Even if 
someone knows a password already (e.g. because they have an account on 
your server), they gain no information about any of the other passwords 
in the database.

Password storage schemes like Argon2 go one step further and put all of 
the parameters for the protected form into the protected string.  This 
allows the parameters to be modified for newly-stored passwords while 
still being able to verify old passwords.  They are also tuned to ensure 
that it takes a long time to compute the protected form (usually around 
0.1 to 0.5 ms).  That's long enough that knowing _all_ the parameters 
still makes it infeasible to figure out what the original password was.

In summary: salt values shouldn't need to be secret.


Dr Peter Brett <peter.brett at>
LiveCode Technical Project Manager

lcb-mode for Emacs:

More information about the use-livecode mailing list