Notepad and livecode
Moderators: FourthWorld, heatherlaine, Klaus, kevinmiller
Notepad and livecode
I was attempting to see what information I could glean from a stack using notepad. I had thought thought that only scripts would be visible. Apparently I was wrong again, as I can see all of the customkeys and their contents ie: account names and passwords.
While I was doing this, I noticed there were customproperties listed that are no longer a part of this stack. At one time, I saw a script from a different (unrelated) stack that never been in there with all of this.
Is this normal?
While I was doing this, I noticed there were customproperties listed that are no longer a part of this stack. At one time, I saw a script from a different (unrelated) stack that never been in there with all of this.
Is this normal?
Re: Notepad and livecode
Not sure what the script from another stack stuff is about (are you sure you didn't at some point create a substack, or change the mainstack of an existing stack to the one you're opening?)
However, yes, otherwise this is normal.
If you don't want others to be able to view your stack in this way, you can password-protect it which encrypts all the text contents.
Code: Select all
set the password of stack "myStack" to "some_password"
It's also worth noting:The Dictionary wrote:If the password property of a stack is not empty, all the text in the stack is encrypted (so that it cannot be read in another program, such as a text editor).
The password property applies to a stack, not to the entire stack file, so it is possible to have a stack file that contains both password-protected and unprotected stacks. After setting the password the password protection does not take effect until the stack has been removed from memory and reloaded.
Re: Notepad and livecode
Yes it was really strange that a different script showed up in notepad. My intention was to put all scripts into cps, and then set all of the object scripts on openstack. Then put empty into those scripts on closestack just to hide them. I suppose I will just have to use verascript or find some other way to secure this stack. I'm using livecode9.6 Community and setting the password such that the scripts are encrypted is not a feature.
Thanks for the response.
Thanks for the response.
Re: Notepad and livecode
And again, the scripts being accessible meant nothing, but the cps contained sensitive info.
Re: Notepad and livecode
I'll leave this alone after this post,I promise.
I am sorry to keep on with this, but I really cannot see how notepad reads the old custom properties in my stack this morning that that were deleted yesterday and the stack saved. Is this something to do with memory?
I am sorry to keep on with this, but I really cannot see how notepad reads the old custom properties in my stack this morning that that were deleted yesterday and the stack saved. Is this something to do with memory?
-
- VIP Livecode Opensource Backer
- Posts: 9842
- Joined: Sat Apr 08, 2006 7:05 am
- Location: Los Angeles
- Contact:
Re: Notepad and livecode
Don't store passwords. Store only salted hashes of passwords.
Richard Gaskin
LiveCode development, training, and consulting services: Fourth World Systems
LiveCode Group on Facebook
LiveCode Group on LinkedIn
LiveCode development, training, and consulting services: Fourth World Systems
LiveCode Group on Facebook
LiveCode Group on LinkedIn
Re: Notepad and livecode
I don’t know enough about this but I would imagine that the file only contains what you saved.oldummy wrote: ↑Sat Dec 23, 2023 3:17 pmI'll leave this alone after this post,I promise.
I am sorry to keep on with this, but I really cannot see how notepad reads the old custom properties in my stack this morning that that were deleted yesterday and the stack saved. Is this something to do with memory?
However it’s possible there are more things there than perhaps is obvious - and if you deleted a custom property, perhaps there is another custom property with the same name in a different object or substack and perhaps that’s what you’re seeing. Pure speculation of course, but maybe the your notepad text gives some clues?
As to the limitations of community - yes that’s probably right. I never really used community but that seems a likely limitation because it was for opensource only I think.
So I misunderstood the thrust of your question thinking you were complaining about passwords being visible and so on, since you are obviously aware of the limitations of the now dropped and unsupported community version…
Last edited by stam on Sat Dec 23, 2023 6:56 pm, edited 1 time in total.
Re: Notepad and livecode
I do this wherever possible. However if you need to submit things like private API keys to existing online services out of your control, how does this work?FourthWorld wrote: ↑Sat Dec 23, 2023 5:21 pmDon't store passwords. Store only salted hashes of passwords.
-
- VIP Livecode Opensource Backer
- Posts: 9842
- Joined: Sat Apr 08, 2006 7:05 am
- Location: Los Angeles
- Contact:
Re: Notepad and livecode
Mark Waddingham did a nice write-up on this a while back:stam wrote: ↑Sat Dec 23, 2023 6:49 pmI do this wherever possible. However if you need to submit things like private API keys to existing online services out of your control, how does this work?FourthWorld wrote: ↑Sat Dec 23, 2023 5:21 pmDon't store passwords. Store only salted hashes of passwords.
https://livecode.com/best-practice-for- ... -security/
Richard Gaskin
LiveCode development, training, and consulting services: Fourth World Systems
LiveCode Group on Facebook
LiveCode Group on LinkedIn
LiveCode development, training, and consulting services: Fourth World Systems
LiveCode Group on Facebook
LiveCode Group on LinkedIn
Re: Notepad and livecode
Yeah…. It was a rhetorical question pointing out that hashed passwords sounds good but can’t be used for everything.FourthWorld wrote: ↑Sat Dec 23, 2023 8:23 pm
Mark Waddingham did a nice write-up on this a while back:
https://livecode.com/best-practice-for- ... -security/
Which is exactly what Mark suggests in this context (ie password-protecting the stack )
-
- VIP Livecode Opensource Backer
- Posts: 9842
- Joined: Sat Apr 08, 2006 7:05 am
- Location: Los Angeles
- Contact:
Re: Notepad and livecode
I've rarely regretted mistaking a question for being earnest. In this case Mark's recommendations may be as useful to others as the general guidance throughout software engineering of avoiding the storage of readable passwords.stam wrote: ↑Sat Dec 23, 2023 11:57 pmYeah…. It was a rhetorical question pointing out that hashed passwords sounds good but can’t be used for everything.FourthWorld wrote: ↑Sat Dec 23, 2023 8:23 pm
Mark Waddingham did a nice write-up on this a while back:
https://livecode.com/best-practice-for- ... -security/
This is unfortunate here, in a thread where the OP is using the Community Edition where scripts cannot be encrypted.Which is exactly what Mark suggests in this context (ie password-protecting the stack )
One nice thing about LC is that for all its conveniences, when you run into a situation where they're not available you're no worse off than the rest of the world.
If the OP has specified that these passwords are not from users but are instead API credentials, I missed it. And if that turns out to be the case, since it's such a common need it's not hard to find discussions addressing it.
Richard Gaskin
LiveCode development, training, and consulting services: Fourth World Systems
LiveCode Group on Facebook
LiveCode Group on LinkedIn
LiveCode development, training, and consulting services: Fourth World Systems
LiveCode Group on Facebook
LiveCode Group on LinkedIn