World: r3wp
[Core] Discuss core issues
| older newer | first last |
| Maxim 20-Sep-2009 [14756x2] | but an encrypted password, without the key isn't usable if you don't know the key. |
or even the algorythm its encoded with | |
| Gabriele 20-Sep-2009 [14758x3] | If you think that keeping the algorithm secret increases the security of your encryption then you should not be writing an encryption algorithm. it's that simple. :) |
The application knows the key, so anyone that can access the application knows the key. | |
the only way to keep a password secret if your files are accessible to other people is to not store it into a file. | |
| Maxim 20-Sep-2009 [14761] | you mean like in the registry? |
| Henrik 20-Sep-2009 [14762] | I've wondered how useful it is not to store the password itself, but encrypting each keypress instead on top of the last keypress. |
| Maxim 20-Sep-2009 [14763] | know that I understand that ultimately there is no method to hide any data. |
| Gabriele 20-Sep-2009 [14764] | I mean that thing that humans have that's called "memory". |
| Maxim 20-Sep-2009 [14765x2] | yes ... and it forgets ;-) |
I have a record right now of 67 passwords I have to remember... I mean I can't remember all of them. | |
| Gabriele 20-Sep-2009 [14767x4] | right, so you have two options: you make sure noone can access your files (like you make sure noone can access your credit card), or you make sure you don't forget. |
I do remember dozens of passwords, but this is not the point. Now you're talking about a different thing, which is a password manager. | |
A password manager encrypts all your passwords using a single password that you have to remember. so you remember just one. | |
In decent operating systems, that is standard with the OS, so what your app does is just communicate with the password manager and store passwords there. | |
| Maxim 20-Sep-2009 [14771] | yep, but it can be broken, just like any other system, cause it, like any system has to store those passwords somewhere. |
| Gabriele 20-Sep-2009 [14772x3] | as long as the master password is not stored anywhere... you are safe. |
No, it does not have to store the master password anywhere. | |
You need at least one password you don't store; otherwise, you can only try to keep your files out of anyone else hands. | |
| Maxim 20-Sep-2009 [14775] | true |
| Gabriele 20-Sep-2009 [14776x2] | And, this is not a problem that *your* app has to solve. It is just wasted time for you. Either you make use of a password manager, or just use obfuscation. |
I'd just use encloak with some random text. If you think it's easy enough to get a system specific key, you might do that, but I don't know if users will be happy to find out that their passwords don't work anymore when they upgrade their PC or move to another computer. | |
| Maxim 20-Sep-2009 [14778x2] | its for a client app... so its not a big issue... its only so the software remembers the login for subsequent calls to the server... just like all the browsers & OS "do you want xxxxxx to remember this password" |
I'll use real encryption (using command) | |
| Gabriele 20-Sep-2009 [14780] | Right, and do you think that the browsers are secure, or use a secret algorithm for that? :) |
| Maxim 20-Sep-2009 [14781] | its a choice I make. and I know every single piece of data on my computer is vulnerable. |
| Gabriele 20-Sep-2009 [14782x2] | using real encryption does not make any difference... but anyway. |
that is what I'm saying... so why waste time with some complicated scheme to store the password? | |
| Maxim 20-Sep-2009 [14784x2] | I mean Gabriele, no system in the world is ultimately secure. The point is only to make it unfeasible. |
cause its going to be requested from every user the first time they have to "re-login" ;-) | |
| Gabriele 20-Sep-2009 [14786x5] | I don't think my point is clear... |
I'm saying that it's a waste of time to try to make it "more secure" | |
or "more unfeasible" | |
just use encloack and obfuscate it so that it does not jump to the eyes. | |
if someone *wants* to get your password they will get it. so why bother? | |
| Maxim 20-Sep-2009 [14791x2] | to make the client happy (the one paying for the application ;-) |
I mean paying me to build it... not the end-user ... ;-) | |
| Gabriele 20-Sep-2009 [14793] | is the client paying you to use a machine specific id and some secret encryption scheme? |
| Maxim 20-Sep-2009 [14794x3] | he'll want the stored password toat least require effort and thus a real cracker to break the binary. this feature will be added later, if ever, it wont for initial public release specifically for the reasons you talk about and which I already had the same conclusions. |
toat = to at | |
this discussion just re-inforces my POV wrt not including the password save feature for now. | |
| Gabriele 21-Sep-2009 [14797] | what does you make presume that he'll want that? and, what does "real cracker" mean? |
| Graham 30-Sep-2009 [14798x2] | What's the quick way of getting the root directory ? This seems tortuous rootdir: to-file rejoin [ "/" second parse/all what-dir "/" "/" ] |
copy/part what-dir 3 is shorter | |
| BrianH 30-Sep-2009 [14800] | On Windows: read %// |
| Graham 30-Sep-2009 [14801x2] | sorry ... I meant I want %/c/ ... and not read the directory |
ie. want the path | |
| BrianH 30-Sep-2009 [14803x2] | Then your second method is best, unless you are on a UNC path, then try this: copy/part find/tail next what-dir "/" |
Sorry, this: rootdir: copy/part rootdir: what-dir find/tail next rootdir "/" | |
| Sunanda 30-Sep-2009 [14805] | Does this do it?
clean-path %//
|
| older newer | first last |