Inputs often pose a bigger risk than core dumps.
Where you ask:
"Any suggestions to make it as secure as possible?"
...we might instead ask:
"Any suggestions to make it as secure as *practical*?"
...or even:
"Any suggestions to make it as secure as *cost-effective*?"
There are always ways to make things more secure. The hard part is
defining an appropriate level of effort relative to the importance of
the secret.
Consider this scale of 1 to 5, in terms of how hard people work to keep
things secret:
1. My app's reg code
2. A user-defined password
3. A user's social security number
4. Nuclear secrets
5. Trump's tax returns
If it's #1 I wouldn't spend more than half an hour thinking about it,
for so many reasons covered in this list before.
#2 is worth spending some time on, but better hashed than encrypted.
#3 or above will require an understanding of the system to provide
useful guidance.
--
Richard Gaskin
Fourth World Systems
JB wrote:
That is a very interesting question!
If the user enters the password or did I hardcode a password
so what follows can only be executed if it included the text I
put into the variable.
I am in this case hardcoding it in myself. This could be text
that is encrypted but it is still there even before it is put into
the variable and that means it is in memory.
Any suggestions to make it as secure as possible?
JB
On Jan 3, 2020, at 1:29 PM, Richard Gaskin via use-livecode <use-livecode at
lists.runrev.com> wrote:
How does the password come into the variable?
--
Richard Gaskin
Fourth World Systems
JB wrote:
What if I have secure info like a password stored
in a local variable and then I clear that info by
putting empty into that local variable.
How secure is that procedure? I understand a
local variable does not retain the info after the
code finishes but I am concerned about any
info left in memory.
In the c language to clear the memory you set
all of the blocks to null. That is because it is
more secure than doing something like putting
empty into the variable.
So the question is when I put empty into a local
variable I know when you access that variable it
will return empty but if it has not been set to null
then is it possible for someone to read the blocks
of memory and get anything back. In c if you set
all of the blocks to null and not just the first block
then you have eliminated the chance of someone
recovering the info. Is there a secure way to clear
a variable in Livecode?
JB
_______________________________________________
use-livecode mailing list
use-livecode@lists.runrev.com
Please visit this url to subscribe, unsubscribe and manage your subscription
preferences:
http://lists.runrev.com/mailman/listinfo/use-livecode
