Notepad and livecode

[oldummy]

I was attempting to see what information I could glean from a stack using notepad. I had thought thought that only scripts would be visible. Apparently I was wrong again, as I can see all of the customkeys and their contents ie: account names and passwords.

While I was doing this, I noticed there were customproperties listed that are no longer a part of this stack. At one time, I saw a script from a different (unrelated) stack that never been in there with all of this.
Is this normal?

[stam]

Is this normal?

Not sure what the script from another stack stuff is about (are you sure you didn't at some point create a substack, or change the mainstack of an existing stack to the one you're opening?)

However, yes, otherwise this is normal.

If you don't want others to be able to view your stack in this way, you can password-protect it which encrypts all the text contents.

Code: Select all

set the password of stack "myStack" to "some_password"

The Dictionary is your friend:

If the password property of a stack is not empty, all the text in the stack is encrypted (so that it cannot be read in another program, such as a text editor).

It's also worth noting:

The password property applies to a stack, not to the entire stack file, so it is possible to have a stack file that contains both password-protected and unprotected stacks. After setting the password the password protection does not take effect until the stack has been removed from memory and reloaded.

[oldummy]

Yes it was really strange that a different script showed up in notepad. My intention was to put all scripts into cps, and then set all of the object scripts on openstack. Then put empty into those scripts on closestack just to hide them. I suppose I will just have to use verascript or find some other way to secure this stack. I'm using livecode9.6 Community and setting the password such that the scripts are encrypted is not a feature.
Thanks for the response.

[oldummy]

And again, the scripts being accessible meant nothing, but the cps contained sensitive info.

[oldummy]

I'll leave this alone after this post,I promise.
I am sorry to keep on with this, but I really cannot see how notepad reads the old custom properties in my stack this morning that that were deleted yesterday and the stack saved. Is this something to do with memory?

[FourthWorld]

Don't store passwords. Store only salted hashes of passwords.

[stam]

I'll leave this alone after this post,I promise.
I am sorry to keep on with this, but I really cannot see how notepad reads the old custom properties in my stack this morning that that were deleted yesterday and the stack saved. Is this something to do with memory?

I don’t know enough about this but I would imagine that the file only contains what you saved.

However it’s possible there are more things there than perhaps is obvious - and if you deleted a custom property, perhaps there is another custom property with the same name in a different object or substack and perhaps that’s what you’re seeing. Pure speculation of course, but maybe the your notepad text gives some clues?

As to the limitations of community - yes that’s probably right. I never really used community but that seems a likely limitation because it was for opensource only I think.

So I misunderstood the thrust of your question thinking you were complaining about passwords being visible and so on, since you are obviously aware of the limitations of the now dropped and unsupported community version…

[stam]

Don't store passwords. Store only salted hashes of passwords.

I do this wherever possible. However if you need to submit things like private API keys to existing online services out of your control, how does this work?

[FourthWorld]

Don't store passwords. Store only salted hashes of passwords.

I do this wherever possible. However if you need to submit things like private API keys to existing online services out of your control, how does this work?

Mark Waddingham did a nice write-up on this a while back:

https://livecode.com/best-practice-for- ... -security/

[stam]

Mark Waddingham did a nice write-up on this a while back:

https://livecode.com/best-practice-for- ... -security/

Yeah…. It was a rhetorical question pointing out that hashed passwords sounds good but can’t be used for everything.

Which is exactly what Mark suggests in this context (ie password-protecting the stack )

[FourthWorld]

Mark Waddingham did a nice write-up on this a while back:

https://livecode.com/best-practice-for- ... -security/

Yeah…. It was a rhetorical question pointing out that hashed passwords sounds good but can’t be used for everything.

I've rarely regretted mistaking a question for being earnest. In this case Mark's recommendations may be as useful to others as the general guidance throughout software engineering of avoiding the storage of readable passwords.

Which is exactly what Mark suggests in this context (ie password-protecting the stack )

This is unfortunate here, in a thread where the OP is using the Community Edition where scripts cannot be encrypted.

One nice thing about LC is that for all its conveniences, when you run into a situation where they're not available you're no worse off than the rest of the world.

If the OP has specified that these passwords are not from users but are instead API credentials, I missed it. And if that turns out to be the case, since it's such a common need it's not hard to find discussions addressing it.