Hi Peter. Very informative thank you. In the example, 

[protected form] = [salt] + protect([protection func], [salt] + [credential]);

It looks like they are saying to prepent the salt prior to the protect function 
(in the case of LC that would be encrypt) but if someone got access to the SQL 
database, wouldn't that give part of the secret away? Isn't the salt value a 
way to further obscure the credential, making something like a hash table more 
difficult? 

I use a salt value that only I know, and I password protect the stack that uses 
it. Seems to me that prepending the salt to the protected form is like giving 
someone my user name but not my password. The other team is starting on the 50 
yard line (in American sports vernacular). 

Bob S


> On Mar 1, 2017, at 02:31 , Peter TB Brett via use-livecode 
> <use-livecode@lists.runrev.com> wrote:
> 
> If you are handling passwords, then this is a pretty decent page with good 
> guidelines on how to do it safely and securely:
> 
> https://www.owasp.org/index.php/Password_Storage_Cheat_Sheet


_______________________________________________
use-livecode mailing list
use-livecode@lists.runrev.com
Please visit this url to subscribe, unsubscribe and manage your subscription 
preferences:
http://lists.runrev.com/mailman/listinfo/use-livecode

Reply via email to