Jonathan,
Since you said you are writing something for "patients" you might
want to
either market it as something else (personal diary) or check the HIPPA
regulations. HIPPA imposes some rather strict requirements even though
your software is for the patient and not the health-care provider.
The requirements
may still apply and the consequences of failure to comply are
draconian at a minimum.
Jamie
Sales 800-539-1780
Support 706-632-3763
Fax 706-632-6498
www.installfactory.com
On May 1, 2006, at 10:54 AM, [EMAIL PROTECTED] wrote:
Jonathon Bevar wrote:
If I wanted to save a User and Password editfields, mind you I am
using the
Password mask in the Password editfield, how would the password
editfield be
saved?
Save the MD5 hash of it. Then, to check the user's entered
password against what's saved in the file, compute the MD5 of what
the user entered, and compare it to what's in the file.
Is there some auto-encryption when saved to an .ini or text file?
No.
1> I want this to be easy and for all platforms so hiding it in the
registery is non-sinse to me. A simple text file should be fine
if the
editfield data is encrypted already.
Agreed.
2> If this is not the case then, is there an easy encryption
method I could
use to encrypt the Password data to a simple text file?
Yep, MD5.
3> And of course a way of un-encrypt the file to view it to check
if it is
the correct password.
No, you don't want that. If there were an easy way for you to un-
encrypt the password, then that would be an easy way for others to
do it, too. Instead, all you need is a way to encrypt (hash) what
the user enters in the same way it was done originally, so you can
compare it to what's in the file.
This still leaves your users vulnerable to a dictionary attack, of
course (where the bad guy computes the MD5 of every word in the
dictionary, looking for one that matches what's stored for the
password). So tell your users not to pick a password that's a real
word.
I am creating a diary log for patients and one end-user wants a
password
protected log as he has other members in his family that he does
not want
'snooping' in his personal log entries. I don't blame him.
Hmm, I see I didn't fully appreciate your needs; you need to
encrypt not just the password, but the data as well. But the
advice above about using MD5 to store the password is still useful;
just treat "storing the password" and "storing the data" as two
different problems. A one-way encryption (e.g. MD5) is still the
best way to store the password.
As for the data, you'll need to do something else. For industrial-
grade encryption, you'll probably need to use a plugin or find a
library, as that code can be quite complex. But there are some
relatively simple things you can do that may be good enough for an
app like this. Here's an example:
1. Put the data to be encrypted into a MemoryBlock (m1).
2. Make a second MemoryBlock (m2) of the same size, and fill this
with the password repeated over and over.
3. Now, zip through the data like this:
for i = 0 to m1.Size - 1
m1.Byte(i) = BitwiseXOR( m1.Byte(i), m2.Byte(i) )
next
This computes the XOR of the data with the password. This will
work to both encrypt and decrypt the data. I want to stress that
any serious cryptographer with a decent amount of data encoded this
way could crack it without breaking a sweat, but it would certainly
stump any "normal" person, and it's easy to implement.
HTH,
- Joe
--
Joe Strout -- [EMAIL PROTECTED]
Available for custom REALbasic programming or instruction.
_______________________________________________
Unsubscribe or switch delivery mode:
<http://www.realsoftware.com/support/listmanager/>
Search the archives of this list here:
<http://support.realsoftware.com/listarchives/lists.html>
_______________________________________________
Unsubscribe or switch delivery mode:
<http://www.realsoftware.com/support/listmanager/>
Search the archives of this list here:
<http://support.realsoftware.com/listarchives/lists.html>
