On 2018-06-06 18:09, Tom Glod via use-livecode wrote:
what if for example you want to hard code a hash salt into your
code?.....
if the code is readable, then so is the salt. I would vote for
unreadable
code 100% of the time.
Technically even if the code isn't readable, then the salt will still be
there - all you are doing is making it more difficult for relatively
unmotivated individuals to get at it. Which perhaps doesn't help much,
as the unmotivated are probably not the ones who are going to cause any
problems.
The only way to truly protect secrets is for no-one to see them and to
only transmit and store them in an encrypted way, where unlocking them
is tied to a secret the end-user has - e.g. user account / password
login.
Certainly if there is a server involved in your app somehow, and if you
control that server then you are far better off making the server the
'keeper of the secrets' because then *you* have control - its much
easier to delete a record from a server then it is to force all your
users to reinstall a new version of your app because a secret contained
within it has been compromised.
Warmest Regards,
Mark.
P.S. I realize that sometimes storing secrets in distributed apps is the
'only' way - but always think to see if there is a way to avoid it if
you can.
--
Mark Waddingham ~ m...@livecode.com ~ http://www.livecode.com/
LiveCode: Everyone can create apps
_______________________________________________
use-livecode mailing list
use-livecode@lists.runrev.com
Please visit this url to subscribe, unsubscribe and manage your subscription
preferences:
http://lists.runrev.com/mailman/listinfo/use-livecode
