World: r3wp
[Core] Discuss core issues
older newer | first last |
Dockimbel 16-Sep-2009 [14736] | Btw, congratulation to the author, Vincent Ecuyer for this great library! |
Maxim 17-Sep-2009 [14737x2] | anyone know of a way to get a persistent value based on someone's computer... the longer the string the better... (on windows) this is with a /command license, so any accessible rebol feature is usable. something like: -System install serial number -Disk serial number -CPU id I want to generate an encryption key which isn't stored as part of the code. It just makes it a bit more complicated to reverse engineer the stored password if the encryption key is different for all installations. |
this value is only the basis for an intense series of string manipulations which make even the original data useless unless someone has the exact algorythm which generated the key. | |
Graham 17-Sep-2009 [14739] | MAC address ?? |
Maxim 17-Sep-2009 [14740] | how do I get that info into rebol? |
Graham 17-Sep-2009 [14741x2] | get-modes ?? |
or not | |
Pekr 17-Sep-2009 [14743x2] | I am not sure get-modes gets you a mac address .... |
you can as well use some power of command line - parse results of commands like ipconfig, arp -a, etc. | |
Maxim 17-Sep-2009 [14745x3] | ahh. yes... doing a dir returns the volume name and serial number in one shot :-) perfect. |
so I'll just call and use the result string! | |
btw, thanks pekr don't know why I didn't of such a simple solution.... to much PITL dev I guess ;-) | |
Pekr 17-Sep-2009 [14748] | yes. The same went for my news-scroller. I just tried to outline it in REBOL, thinking someone should do it in some PITL environment. Then I saw my brother using it in PC Shop on his LCD TV. I asked him - hey, wait till someone makes final version, and he replied - it works, no? And then I thought to myself - can I regard 2 pages of code being actually an application? :-) |
Maxim 17-Sep-2009 [14749] | hehe |
Gabriele 19-Sep-2009 [14750] | max, it always scares me when people think that obscurity is a form of security... |
Maxim 19-Sep-2009 [14751x2] | Gab, are you saying that my idea is only obscurity, or that its the proper approach? just want to confirm what you mean. the |
the idea is for the encryption key to a stored password is created dynamically via an algorythm. If the software is encapped, then its a pretty safe system IMHO. But if the software stays open source (and interpreted), at least I can use some natives for which the key-gen algorythm is hard to reverse engineer. Although someone with rebol know-how can obviously get the passwd by running the algorythm manually, there is no way around this AFAIK. | |
Gabriele 20-Sep-2009 [14753x2] | There is no way to protect a password you are saving. Normally, you just want to obfuscate it so that it does not jump to the eyes when someone is looking. |
if the file containing the password is accessible to other people, then the password is accessible to other people. | |
Maxim 20-Sep-2009 [14755x3] | but that is true of all passwords on a computer even login passwds. |
but an encrypted password, without the key isn't usable if you don't know the key. | |
or even the algorythm its encoded with | |
Gabriele 20-Sep-2009 [14758x3] | If you think that keeping the algorithm secret increases the security of your encryption then you should not be writing an encryption algorithm. it's that simple. :) |
The application knows the key, so anyone that can access the application knows the key. | |
the only way to keep a password secret if your files are accessible to other people is to not store it into a file. | |
Maxim 20-Sep-2009 [14761] | you mean like in the registry? |
Henrik 20-Sep-2009 [14762] | I've wondered how useful it is not to store the password itself, but encrypting each keypress instead on top of the last keypress. |
Maxim 20-Sep-2009 [14763] | know that I understand that ultimately there is no method to hide any data. |
Gabriele 20-Sep-2009 [14764] | I mean that thing that humans have that's called "memory". |
Maxim 20-Sep-2009 [14765x2] | yes ... and it forgets ;-) |
I have a record right now of 67 passwords I have to remember... I mean I can't remember all of them. | |
Gabriele 20-Sep-2009 [14767x4] | right, so you have two options: you make sure noone can access your files (like you make sure noone can access your credit card), or you make sure you don't forget. |
I do remember dozens of passwords, but this is not the point. Now you're talking about a different thing, which is a password manager. | |
A password manager encrypts all your passwords using a single password that you have to remember. so you remember just one. | |
In decent operating systems, that is standard with the OS, so what your app does is just communicate with the password manager and store passwords there. | |
Maxim 20-Sep-2009 [14771] | yep, but it can be broken, just like any other system, cause it, like any system has to store those passwords somewhere. |
Gabriele 20-Sep-2009 [14772x3] | as long as the master password is not stored anywhere... you are safe. |
No, it does not have to store the master password anywhere. | |
You need at least one password you don't store; otherwise, you can only try to keep your files out of anyone else hands. | |
Maxim 20-Sep-2009 [14775] | true |
Gabriele 20-Sep-2009 [14776x2] | And, this is not a problem that *your* app has to solve. It is just wasted time for you. Either you make use of a password manager, or just use obfuscation. |
I'd just use encloak with some random text. If you think it's easy enough to get a system specific key, you might do that, but I don't know if users will be happy to find out that their passwords don't work anymore when they upgrade their PC or move to another computer. | |
Maxim 20-Sep-2009 [14778x2] | its for a client app... so its not a big issue... its only so the software remembers the login for subsequent calls to the server... just like all the browsers & OS "do you want xxxxxx to remember this password" |
I'll use real encryption (using command) | |
Gabriele 20-Sep-2009 [14780] | Right, and do you think that the browsers are secure, or use a secret algorithm for that? :) |
Maxim 20-Sep-2009 [14781] | its a choice I make. and I know every single piece of data on my computer is vulnerable. |
Gabriele 20-Sep-2009 [14782x2] | using real encryption does not make any difference... but anyway. |
that is what I'm saying... so why waste time with some complicated scheme to store the password? | |
Maxim 20-Sep-2009 [14784x2] | I mean Gabriele, no system in the world is ultimately secure. The point is only to make it unfeasible. |
cause its going to be requested from every user the first time they have to "re-login" ;-) | |
older newer | first last |