Thanks Peter. I see some things in there that help me understand better what
the salting does. I will probably incorporate this in my app fairly soon. I
store passwords for various things, and want to make sure they are as secure as
possible.
Once I get it working I think I will put up a sampl
On 07/03/2017 15:28, Bob Sneidar via use-livecode wrote:
Thanks Peter. But then how will I know programmatically if the password is
correct or not?
Hi Bob,
Here's a worked example of what I'm talking about.
Peter
--
NVM I think I see. I hash the user's password entry and compare the value to
what is stored. But if the stored hash is an asymmetric one and cannot be
decrypted, what is all the fuss about? Rainbow tables are all that is left, and
you cannot create rainbow tables for every possible methodology.
You encrypt the trial password and compare the encrypted values.
Bill
William Prothero
http://ed.earthednet.org
> On Mar 7, 2017, at 3:28 PM, Bob Sneidar via use-livecode
> wrote:
>
> Thanks Peter. But then how will I know programmatically if the password is
> correct or not?
>
> Bob S
>
Thanks Peter. But then how will I know programmatically if the password is
correct or not?
Bob S
> On Mar 6, 2017, at 02:53 , Peter TB Brett via use-livecode
> wrote:
>
>
>
> On 03/03/2017 18:00, Bob Sneidar via use-livecode wrote:
>> It looks like the encrypt command is already using thi
On 03/03/2017 18:00, Bob Sneidar via use-livecode wrote:
It looks like the encrypt command is already using this method if
the "with salt" arguement is provided? At least the encrypted result
starts with "salted" and at least part of the salt value.
Hi Bob,
The "encrypt" command provides sy
this discussion has been very useful on many fronts. I'm going to have
fewer nightmares about security.
On Fri, Mar 3, 2017 at 1:00 PM, Bob Sneidar via use-livecode <
use-livecode@lists.runrev.com> wrote:
> It looks like the encrypt command is already using this method if the
> "with salt" argue
It looks like the encrypt command is already using this method if the "with
salt" arguement is provided? At least the encrypted result starts with "salted"
and at least part of the salt value.
Bob S
> On Mar 1, 2017, at 07:37 , Bob Sneidar via use-livecode
> wrote:
>
> Hi Peter. Very infor
On 02/03/2017 19:28, Alejandro Tejada via use-livecode wrote:
How difficult would be to guess a sha1 digest, if we repeat it many,
many times? Just as Peter Brett wrote in a previous message:
put sha1Digest(sha1Digest(sha1Digest(tData))) -- 3 times!
Don't do this. It will make it _easier_
How difficult would be to guess a sha1 digest, if we repeat it many,
many times? Just as Peter Brett wrote in a previous message:
put sha1Digest(sha1Digest(sha1Digest(tData))) -- 3 times!
Al
___
use-livecode mailing list
use-livecode@lists.runrev.co
ercial
> coders that are forced to use more settled versions for speed, productivity
> & reliability are not left out in the dark & cold, again.
>
> Have fun!
>
>
>
> -
> • Livecode programming until the cat hits the fan •
> --
> View this message in con
ctivity
& reliability are not left out in the dark & cold, again.
Have fun!
-----
• Livecode programming until the cat hits the fan •
--
View this message in context:
http://runtime-revolution.278305.n4.nabble.com/SHA1-cracked-What-are-the-chances-this-will-be-addressed-in-LC-tp4712554p47
Peter Brett wrote:
> Hold your horses, Richard, I'm still waiting for the official
> Mark Waddingham stamp of approval for making changes
> to the LiveCode language!
> There's a still a chance that it'll change a bit before it
> actually makes its way into a release.
This is real good news! :D
Any
On 01/03/2017 18:22, Richard Gaskin via use-livecode wrote:
The answer turns out to be: "Quite good - pull request submitted, status
changed to 'Awaiting Build'" - i.e. "done!"
http://quality.livecode.com/show_bug.cgi?id=14223
Many thanks to Peter Brett for addressing this, and implementing it
This thread title asks: "What are the chances this will be addressed in LC?"
The answer turns out to be: "Quite good - pull request submitted, status
changed to 'Awaiting Build'" - i.e. "done!"
http://quality.livecode.com/show_bug.cgi?id=14223
Many thanks to Peter Brett for addressing this, a
On 01/03/2017 15:37, Bob Sneidar via use-livecode wrote:
Hi Peter. Very informative thank you. In the example,
[protected form] = [salt] + protect([protection func], [salt] +
[credential]);
It looks like they are saying to prepent the salt prior to the
protect function (in the case of LC that
Hi Peter. Very informative thank you. In the example,
[protected form] = [salt] + protect([protection func], [salt] + [credential]);
It looks like they are saying to prepent the salt prior to the protect function
(in the case of LC that would be encrypt) but if someone got access to the SQL
da
On 28/02/2017 15:46, Bob Sneidar via use-livecode wrote:
Thanks for that Peter! I've been thinking about a way to encrypt data
for storage in database systems for things like passwords and server
credentials. Now to figure out how to decrypt it...
Hi Bob,
Never store user passwords in clear te
NVM I'm a moron. It's there but I overlooked it.
Bob S
> On Feb 28, 2017, at 12:27 , Richard Gaskin via use-livecode
> wrote:
>
> I had written "shaONEdigest" only to draw attention to the "1" ("ONE"), just
> in case you'd tried "l" ("L") instead.
>
> It's in there. Has been for years. N
Bob Sneidar wrote:
>> On Feb 28, 2017, at 09:33 , Richard Gaskin wrote:
>> Bob Sneidar wrote:
>>
>> > I cannot find a function called sha1digest in the LC library.
>>
>> It's sha-ONE-digest, and it's been around for a while so it should
>> be there.
>>
>
> I search for SHA in the dictionary, nada
One thing I discovered just now: the items listed in the API tab of the
Dictionary are not necessarily in alphabetic order by default. I
discovered it by typing 'sh' into the Filter box and looking at the
list, top to bottom. Things weren't where I expected them to be! After I
clicked the 'Name
However, this works:
put sha1Digest("dfgdfgdghgdhfgh")
So we know it's there.
FWIW -
Phil Davis
On 2/28/17 11:05 AM, Bob Sneidar via use-livecode wrote:
I search for SHA in the dictionary, nada. I type sha1digest in to a script,
right click it, nada. I type shaONEdigest in a script, rig
On 02/28/2017 11:05 AM, Bob Sneidar via use-livecode wrote:
I search for SHA in the dictionary, nada.
It's in the dictionary.
Maybe you have a filter enabled that's masking it?
--
Mark Wieder
ahsoftw...@gmail.com
___
use-livecode mailing list
us
I search for SHA in the dictionary, nada. I type sha1digest in to a script,
right click it, nada. I type shaONEdigest in a script, right click it, nada.
Bob S
> On Feb 28, 2017, at 09:33 , Richard Gaskin via use-livecode
> wrote:
>
> Bob Sneidar wrote:
>
> > I cannot find a function called
Bob Sneidar wrote:
> I cannot find a function called sha1digest in the LC library.
It's sha-ONE-digest, and it's been around for a while so it should be there.
--
Richard Gaskin
Fourth World Systems
Software Design and Development for the Desktop, Mobile, and the Web
___
err... This does not work. I cannot find a function called sha1digest in the LC
library.
Bob S
> On Feb 27, 2017, at 02:49 , Peter TB Brett via use-livecode
> wrote:
>
> Or, in LiveCode:
>
>function HmacSha1(pKey, pData)
>return sha1digest(pKey & sha1digest(pKey & pData))
>
Thanks for that Peter! I've been thinking about a way to encrypt data for
storage in database systems for things like passwords and server credentials.
Now to figure out how to decrypt it...
Bob S
> On Feb 27, 2017, at 02:49 , Peter TB Brett via use-livecode
> wrote:
>
>function HmacSha
On 24/02/2017 18:47, axwald via use-livecode wrote:
few days ago I read about PHP incorporating a modern crypto lib now:
https://dev.to/paragonie/php-72-the-first-programming-language-to-add-modern-cryptography-to-its-standard-library
Not a specialist regarding this, but wouldn't it be possibl
For those interested there is a SHA-1 collider here to have a play with
https://alf.nu/SHA1
On 25 Feb 2017 3:18 p.m., "Dr. Hawkins via use-livecode" <
use-livecode@lists.runrev.com> wrote:
> On Sat, Feb 25, 2017 at 5:15 AM, Keith Martin via use-livecode <
> use-livecode@lists.runrev.com> wrote:
>
On Sat, Feb 25, 2017 at 5:15 AM, Keith Martin via use-livecode <
use-livecode@lists.runrev.com> wrote:
> While Google may include a backdoor (something I consider unlikely but I
> realise that's no less conjecture than '100% certainty'), the Natural News
> issue isn't what the site owners paint it
An aside response...
> Read between the lines Google doesn't use it so obviously people will start
> using Google's which will with 100% certainty will have a backdoor in it
> looking as to how they removed 140,000 indexed pages of www.naturalnews.com
> after the owner didn't give in to blackmail
mmercial software now. It might even have juristic
consequences, knowingly using broken crypto?
Anyway. Have fun!
-
• Livecode programming until the cat hits the fan •
--
View this message in context:
http://runtime-revolution.278305.n4.nabble.com/SHA1-cracked-What-are-the-chances-this-will-
I dl'd and also sent him some money.
Bob S
> On Feb 24, 2017, at 09:56 , Richard Gaskin via use-livecode
> wrote:
>
> Peter covered why it should be done in C, but if you really need sha256 today
> Mark Smith's libSHA includes a scripted version:
>
> http://marksmith.on-rev.com/revstuff/
>
Lagi Pittas wrote:
> Why does it need to be a part of the language and not a widget
> or a library stack which we can all fiddle with for our projects,
> which would make it more difficult for the bad boys to decrypt?
Peter covered why it should be done in C, but if you really need sha256
today
On 24/02/2017 17:18, Lagi Pittas via use-livecode wrote:
Why does it need to be a part of the language and not a widget or a library
stack which we can all fiddle with for our projects , which would make it
more difficult for the bad boys to decrypt?
Cryptographic hash implementations have a
Why does it need to be a part of the language and not a widget or a library
stack which we can all fiddle with for our projects , which would make it
more difficult for the bad boys to decrypt?
Lagi
On 24 February 2017 at 17:15, Tom Glod via use-livecode <
use-livecode@lists.runrev.com> wrote:
Its good to hear its being looked at by the core team. I trust the most
obvious correct decision will be made eventually.
On Fri, Feb 24, 2017 at 11:28 AM, Richard Gaskin via use-livecode <
use-livecode@lists.runrev.com> wrote:
> As much as I enjoy chatting with other users, a while back I had ho
As much as I enjoy chatting with other users, a while back I had hoped
to make this more actionable by submitting an enhancement request for
sha256:
http://quality.livecode.com/show_bug.cgi?id=14223
The challenge with satisfying that request is two fold:
- sha2 is not a single algo, but a fam
Hi
I didn't say they shouldn't do it I said I won't lose any sleep over it.
I don't think it needs to be built in either - just a library will do and
everybody can tweak it a little bit so that NOBODY knows which one it is -
that'll piss TPTB off.
Lagi
On 24 February 2017 at 13:58, Dan Brown via
It may cost $110,000 today but the computational cost of executing this
exploit will decrease year on year until it is trivial to perform. I would
think it much better to address this issue immediately so that applications
being made now are future proofed.
There is also the PR element to consider
thanks for sharing your thoughts on this Lagi, you make some good points.
On Fri, Feb 24, 2017 at 5:44 AM, Lagi Pittas via use-livecode <
use-livecode@lists.runrev.com> wrote:
> I think everybody is overplaying this.
>
> It will only matter if the amount of money or other advantages is worth at
I think everybody is overplaying this.
It will only matter if the amount of money or other advantages is worth at
least $110,000.
The algorithm executed in Amazons cloud at the cheapest rate would cost
that much in processing to get 1 key.
The only people that will waste YOUR money to do this
Hi everyone,
Read this article today. I use SHA1 in my software, so
https://www.recode.net/2017/2/23/14715570/google-researchers-crack-internet-security-tool-sha1-encryption
What do you all think? Should I bother reporting this? or is it fair to say
they know about it? What are the chances that
43 matches
Mail list logo