enter password twice -> to validate/verify it

[ueliweb]

Hei

there are many topics about password.
but I dont found an answer to my question yet:

I want ask user to register/enter a new password. Normal you have to enter you password to a encrypted field and then enter the same to a second to compare/validate/verify that they are the same.

As I found yet I need to ask and save it and then ask again and then compare ...

How I can make card/ dialog box containing 2 "field" so that I see just stars but - can't see what is entered

Thanks for help and suggestions

Edit: as conclusion off this topic I created a sample satck - you find it below for download and test it.
http://forums.runrev.com/viewtopic.php?p=52835#p52835

[ueliweb]

An idea with much code work could be:

At the moment I think to place to place 4 fields - 2 hidden and 2 visible.
If someone enters in the first field (then wait a quater second - so he see what he was entering) then copy it in his corresponding hidden filed and change it to a star.
do it for every char and manage also if he step back with the back arrow ...
Then do the same with the validate field

it would be nice to have a field or ask password option that just do it: two fields field with stars for each star

something like HTML does it with

Code: Select all

<input type="password">

[ueliweb]

So at the moment I just can ask and ask twice

Code: Select all

command askPasswordFromUser  pStart
   ##  if user try again show an other start dialog
   if pStart is true then
      ask password "Enter a NEW Password:" titled "Create new password" 
   else
      ask password "You decide trying creating password again:" & return & "So you can now enter from scratch:" titled "Create new password" 
   end if
   
   
   ##  restart if empty pasword
   if it is empty then 
      answer "no empt password. Start again" with "Cancel Registration" or "try again"
      askPasswordFromUser
      exit askPasswordFromUser
   end if
   put it into PW_original
   
   
   ##  veryfiy password 
   repeat for 3 times
      ask password "Enter the password again" titled "Verify password" 
      
      if it is PW_original then
         set the uPassword of this stack to it
         answer "Congratulation password are created"
         ##  some more stuff to proceed
         exit to top
      end if
   end repeat
   
   
   ##  3 times wrong -> cancel or star again
   answer "Sorry - Verifying failed. Login canceled." with "Stop it" or "Try again"
   if it is "try again" then 
      ##  call myself to try again
      call askPasswordFromUser to me
   else
      ##  do something 
      exit to top
   end if
end askPasswordFromUser

with two protected fields it could save about the halve of code and made it easier

Code: Select all

command askPasswordFromUserWith2fields  pStart
   repeat for 3 times
      
      put field 1 into   
      put field 2 into verifyPW  
      
      ##  enter password
      if PW is empty or  PW is not verifyPW then 
         answer "PW does not much or are empt password." with "Cancel Registration" or "try again"
         put "" into field 2
         put "" into field 2
         
         if it is "try again" then 
            askPasswordFromUser
            exit askPasswordFromUser
         end if
      end repeat
      
      
      ##  3 times wrong -> cancel or star again
      answer "Sorry - Verifying failed. Login canceled." with "Stop it" or "Try again"
      if it is "try again" then 
         ##  call myself to try again
         call askPasswordFromUser to me
      else
         ##  do something 
         exit to top
      end if
end askPasswordFromUserWith2fields

What do you think about it?

and just to complete one possible "ask for login password "

Code: Select all

function LoginPassword
   
   repeat for 3 times
      ask password "Please enter your password." 
      if it is empty then exit repeat
      if it = the uPassword of this stack then
         ## right password; proceed
         answer "Password right - you are now logged in"
         return true
      end if
   end repeat 
   
   Answer "Sorry - Verifying failed. Login canceled."
   return false
end LoginPassword

[jacque]

The usual way to do it is to trap keydown and store the string in a variable, and put stars into the field:

Code: Select all

local sPass

on keydown pKey
  put pkey after sPass
  put "*" after fld "password"
end keydown

Now you have their password in the local script variable "sPass" and the field only shows "****".

[ueliweb]

Ahh so! the light shinning now
Thanks very much!
This way is much easier code to manage key actions.
The verification I do in an own command/function

managing deleting last char could lock like:

Code: Select all

local sPass

on deleteKey pKey
  delete last char of sPass
  delete last char of fld "password"
end keydown

Whats about stepping backward?
'backKey' ("the hardware back button" ???) or 'backspaceKey' or 'deleteKey'? There is also something written of an 'Forward Delete key'(dont' found it in the dict). I'am a bit confused reading the dictionary.
-> where can I find an overview/ guide/ tutorial about all this key handlers and constants?

How to protect against 'linefeed' after a return key is pressed?
I used 'returnKey', 'returnInField' and the 'dontWrap' property of the field, but failed
Without the keydown from jacque above this works:

Code: Select all

on returnInField pKey
exit to top
end returnInField

also catch it int the keyDown want work:

Code: Select all

 on keyDown
## the return just shows me that the if statement catch the return
if pKey is return then answer "return pressed"
 ##  do something
end keyDown

An other question: After got and compared the password how encrypt/decrypt it so that I can use it along with this produced in the 'ask password'?
The 'encrypt'/'decrypt' from dictionary needs external library installed on the different system.
And 'encrypt using rsa' looks more difficult because it need this privat/public key things.

[jacque]

Your deletekey handler is correct. Some programs just remove the entire password when delete is hit, and the user must start over. It's up to you, but for now that might be easier than trapping all possible keys. You mention the hardware back button -- are you writing for mobile? Ask password does not encrypt on mobile, it always returns plain text. But you aren't using "ask password" now, so that probably doesn't matter.

You can trap the forward delete key but you must use the rawKeyDown message instead of keyDown for that. RawKeyDown uses numerical parameters. You can find out what those are with a temporary handler like this:

on rawKeyDown pKey
put pKey
pass pKey
end rawKeyDown

That will put the number codes into the message box when you type and you can create a handler that responds to those. Remove that test handler after creating your list of numbers so it won't interfere with regular typing. It might be easer for now to just put empty into the field when the user types a delete key. You can always change to a rawKeyDown handler later if you want.

Set the field's autoTab property ("Tab On Return") to true to prevent the return key from activating. This will work if your fields are only one line high. Return and enter keys will not trigger and there will be no linefeeds. Or if you want to do it in a script:

on enterInField
end enterInField

on returnInField
end returnInField

Those will trap the enter and return keys and do nothing.

The keydown handler will put plain text into the password variable. If you want it encrypted, you can use the built-in password hashing manually:

put mcEncrypt(sPass) into sPass

This gives the same thing as the "ask password" dialog and will create a hash of the password. There is no "decrypt" function, but you don't need it. Just compare the two hashes to see if they match.

You could use SSL if you want, it isn't hard to include the library. You just tick a checkmark in the standalone builder and the library will work in the standalone. But SSL is not supported on mobile yet, so if you are writing this for mobile then SSL is not an option.

[ueliweb]

Hei Jacqueline

thanks 1001 times.
Now I understand the key handling much better.

My project should work on all platforms, I decide to focus first for iOS, then Mac, ...
I want use the same code base (with as less exception as posible) and make just the different GUIs.

Yes I will start with just clear the hole fields.
Thanks for explain the autoTab property, no more scripting just activate it.
I did't know the right difference between enter and return, further for me it was the same. so thats why return did not catch the numeric keybord - this is enter

the 'rawKeyDown' will a great help in future.

And for the encryption mcEncrypts summary is just "Reserved for internal use." for me it means it is a reserved word that should not be used.

Searching something if you don't know how the words are you have to lockin for, is sometimes difficult. And even more, if you don't have high level english.

Again thanks very much!

[jacque]

Searching something if you don't know how the words are you have to lockin for, is sometimes difficult. And even more, if you don't have high level english.

Yes, that's very true. Many people have complained about that but with a little work you can usually find what you need. Try searching for a common English word for the term you want. For example, search for "key" and you will see most of the keyboard messages. It also helps to look at the "See also" section of the dictionary entry. That usually gives you more ideas where to look. LiveCode has so many keywords, it takes a long time to learn them all. But you will.

Your English is very good, I think you will do fine.

Edit: About the "internal use" for mcEncrypt, in this case I think it is fine to use it. It has been in the engine since the beginning and is the basis for the password dialog, so I don't think it will go away. I suspect it is not well documented because RR wants to discourage its use. It may not be as secure as SSL but it is fine for casual protection.

[ueliweb]

thanks again Jacqueline
it was a real big help
and thanks for your compliment about my english skills (dictionaries and auto corrections helps a lot) - not always feel like that, but today I will fly in happiness.

----------------------------------------------------

As a result of this topic and play with the new knowledge I built a stack that helps me understand better how this works. Compiled to Mac Standalone and to iPhone it worked too.

Now I want share it with you all.
Perhaps it's also helpful for other newcomers.
(But remember it's a sample not a security solution.)

If you find bugs or have some suggestions, improvements, ...
please let me know. I will have a look at the case and update it.

[ueliweb]

Hello all

I got a positive feedback about the sample stack. It should no includes no potential mistakes or security risk and it works well.
Thanks to Jaquline.

Nevertheless don´t forgott it is a SAMPLE stack.
So if you need security think about ALL other aspects/ issues of security your app needs!

I built it for a easy user management which just protects against using an other users settings.
No personal or other sensitive data, ...


I replaced the older stack in the previous post with the todays version (8. March 2012) - there is nothing modified, I just removed all breakpoints.

[Mark]

Hi,

I can see that you are struggling with the same problems I encountered when I made my password field. The password field I made allows for pasting the password and adding characters in-between and several other actions. The password field is available from the private section of my website.

Kind regards,

Mark