Re: Question about "that thing you key in that's not a user name when you're logging in"

Wed, 30 Dec 2015 16:31:38 -0800

Some people dislike that method because it lets an attacker 'guess' a username separately from password; there is (arguably) more security in having the attacker be unable to tell which one didn't match.
Personally, I don't know enough to have an opinion - certainly not enough to listen to my own opinion :-) 

-- Alex.


On 30/12/2015 23:52, Bob Sneidar wrote:

What I do (and I have seen this in other login systems apart from LC) is I have 
a User Name field and a Login button. When clicked it will check a database of 
user names and balk if it cannot find the user. It then uses Ask Password, 
encrypts it using a seed value only I know, compares it with the stored 
encrypted value, and proceeds or declines based on if it matches.

Bob S

On Dec 30, 2015, at 15:04 , J. Landman Gay 
<jac...@hyperactivesw.com<mailto:jac...@hyperactivesw.com>> wrote:

On 12/30/2015 5:18 AM, Richmond wrote:
one thing that is very odd is 'mcEncrypt';

firstly because it maybe the only thing in LiveCode that
betrays LiveCode's ancestry in MetaCard,

It was part of the original MC 1.0 and was used only internally to encrypt the 
entry from an ask dialog. The encrypted form was returned to the script. There 
was no way to obtain the original unencrypted text entry.

and

secondly because the Documentation (7.1) tells us
nothing beyond that it is 'Reserved for internal use'.

That 'Reserved' is all jolly well and good, but made
me feel a bit strange having read the entry for

"ask p_assword" [there's another way of getting round things, even if,
for Americans,
it might seem a bit 'fruity']

where it says:

'get mcEncrypt(it)'

At some point the dialog behavior changed and the engine now returns only the 
raw text. It is now necessary for the script rather than the engine to handle 
the encryption if that's desired. When the behavior changed, mcEncrypt was made 
public and put into the dictionary.

--
Jacqueline Landman Gay         |     
jac...@hyperactivesw.com<mailto:jac...@hyperactivesw.com>
HyperActive Software           |     
http://www.hyperactivesw.com<http://www.hyperactivesw.com/>

_______________________________________________
use-livecode mailing list
use-livecode@lists.runrev.com
Please visit this url to subscribe, unsubscribe and manage your subscription 
preferences:
http://lists.runrev.com/mailman/listinfo/use-livecode



_______________________________________________
use-livecode mailing list
use-livecode@lists.runrev.com
Please visit this url to subscribe, unsubscribe and manage your subscription 
preferences:
http://lists.runrev.com/mailman/listinfo/use-livecode






















					Reply via email to