Mask a Password and reuse the text afterwards

LiveCode is the premier environment for creating multi-platform solutions for all major operating systems - Windows, Mac OS X, Linux, the Web, Server environments and Mobile platforms. Brand new to LiveCode? Welcome!

Moderators: FourthWorld, heatherlaine, Klaus, kevinmiller, robinmiller

jacque
VIP Livecode Opensource Backer
VIP Livecode Opensource Backer
Posts: 7215
Joined: Sat Apr 08, 2006 8:31 pm
Location: Minneapolis MN
Contact:

Re: Mask a Password and reuse the text afterwards

Post by jacque » Tue Apr 27, 2021 8:06 pm

dunbarx wrote:
Tue Apr 27, 2021 6:11 pm
Do you think there is no danger that the imageSource can be hacked? I have no idea; I never need to worry about Security , but I know you always do.
If the stack is opened in the IDE then it can easily be accessed. In a standalone, it's safe. A standalone only has the text editing functions that the scripts allow, so if you block the copy function then the text can't be extracted. I allow pasting but not copying. In addition, just in case, I also empty the field on openField if the user clicks in it which means they can't even select existing text. They have to type it anew.

The user is limited to the login card until the credentials are verified, and after that the text is removed from the fields. There is probably one case in which a hacker could access the credentials, and that is if they have installed a key logger or can watch the data stream before it is sent to the server (which would be just before transmission, since the credentials are encrypted with SSL when actually sent.) In that case the method is as vulnerable as any other login method on any other app or web site.

One other trick I like about this method is that you can briefly display the character typed if you do not lock the screen during text entry. This is a side-effect of the time it takes to implement an imageSource. The effect is similar to what mobile apps do during password entry. If you do lock the screen before setting the imageSource then there is no brief display, so you can control whether or not you allow the user to verify their typing as they go.

I've used the imageSource method on both desktop and mobile apps and it works well on both. On mobile I do not use native fields because I have more control over text entry in LC fields and for single-line text a LC field works fine.
That is why Richmond, and then I, went the "No password left behind" way.
I guess it depends on your definition of "left behind." On desktop apps I sometimes don't store the password but on mobile it's truly a pain to type on an on-screen keyboard repeatedly. My client specifically requested that the credentials be automatically entered on launch if there has been a valid login in the past. So I get the contents of the verified fields the first time, encrypt them, and store them in the app's sandbox where they are protected from user access on both Android and iOS. When the user launches the app, the stored data is unencrypted and placed into the fields (using imageSource on the password field.) This doesn't ensure a valid login though; the entries are sent to the server normally just as though the user had typed them. It just saves the user from the tedium of the virtual keyboard.

This proved so convenient that we also use the same method on dekstop apps now. If the data is encrypted, it's probably reasonably safe as long as your app is saved as password protected.
Jacqueline Landman Gay | jacque at hyperactivesw dot com
HyperActive Software | http://www.hyperactivesw.com

stam
Posts: 2634
Joined: Sun Jun 04, 2006 9:39 pm
Location: London, UK

Re: Mask a Password and reuse the text afterwards

Post by stam » Tue Apr 27, 2021 10:08 pm

jacque wrote:
Tue Apr 27, 2021 8:06 pm
One other trick I like about this method is that you can briefly display the character typed if you do not lock the screen during text entry. This is a side-effect of the time it takes to implement an imageSource. The effect is similar to what mobile apps do during password entry. If you do lock the screen before setting the imageSource then there is no brief display, so you can control whether or not you allow the user to verify their typing as they go.
I find that if setting the imageSource in the on textChanged handler it's really very quick and you don't get this effect, regardless if locking screen or not.
On the other hand, if setting it in the on keyUp handler (as it fires after textChanged), you get this effect for as long as the user is depressing the key and obscures the text as soon as the user releases the key; this simulates the mobile platform fairly well. Not suitable for my uses but maybe for other stuff...

fanny
Posts: 5
Joined: Mon Apr 26, 2021 2:54 pm

Re: Mask a Password and reuse the text afterwards

Post by fanny » Thu Apr 29, 2021 10:52 am

sorry for only answering now, I thought I woul get a email notification or something if something was posted, but nvm.

thank you so much far the many answers, I will need to look through them and try what works best. But I am so thankful for your help!
To clarify the statemtn "use the password afterwards". I want the password obscured, but I also need to create a hash afterwards, to store that in the database.
with some methods the password was lost when I masked it, and then I couldn't create a hash for the database.

stam
Posts: 2634
Joined: Sun Jun 04, 2006 9:39 pm
Location: London, UK

Re: Mask a Password and reuse the text afterwards

Post by stam » Thu Apr 29, 2021 11:50 am

fanny wrote:
Thu Apr 29, 2021 10:52 am
with some methods the password was lost when I masked it, and then I couldn't create a hash for the database.
Hi Fanny, broadly speaking you have 2 options:
- store the entered password text in a custom property of the field, the card or the stack; or
- keep the text in the field but obscure it with by setting the imageSource (personally that's my favoured solution as it's much simpler to implement).
- if implementing the latter you can trap the copy/cut but allow for paste - check out on cutKey and on copyKey

Most of the solutions above are about only masking the entry as that was your question - golife has posted a nice solution above with methods to encrypt/hash the password...

Good luck ;)
Stam

AxWald
Posts: 578
Joined: Thu Mar 06, 2014 2:57 pm

Re: Mask a Password and reuse the text afterwards

Post by AxWald » Thu Apr 29, 2021 3:27 pm

Hi,

I knew I made such a thing ages ago! And I actually found it.
So I did a quick code redressing, preserving the priceless UI. See attachment.

It's using a simplified approach for a user to enter her password - for instance, it recognizes a previously copied one. And it doesn't display anything, doesn't even have an input field - you just type ahead. When the password is matched, it'll let you in.

The whole thing is basically 1 self contained group, called at startup. It then covers the whole window (here left out), obscuring all controls. Only when a correct password is entered it vanishes. Else it quits the stack.

The password, once created, is stored & tested again in a custom property of the group, ready to be set from/ saved to anywhere.
The hashing function, "base64Encode(sha1Digest('thisIsMyPassWord!'))", is in the stack script; a better hashing algorithm is recommended. There's a link to Mark Smith's revolution libraries with it - this contains an implementation of SHA256 for the users of older LC versions.

Hope someone has use for this. Have fun!
Attachments
awa_friendlyPWinput.zip
a simple password input demo
(3.56 KiB) Downloaded 111 times
All code published by me here was created with Community Editions of LC (thus is GPLv3).
If you use it in closed source projects, or for the Apple AppStore, or with XCode
you'll violate some license terms - read your relevant EULAs & Licenses!

FourthWorld
VIP Livecode Opensource Backer
VIP Livecode Opensource Backer
Posts: 9802
Joined: Sat Apr 08, 2006 7:05 am
Location: Los Angeles
Contact:

Re: Mask a Password and reuse the text afterwards

Post by FourthWorld » Thu Apr 29, 2021 3:49 pm

Mark contributed some great libraries, but with v9 we now have a messageDigest function that not only supports the older md5 and sha1 but also several lengths of sha2 and sha3.
Richard Gaskin
LiveCode development, training, and consulting services: Fourth World Systems
LiveCode Group on Facebook
LiveCode Group on LinkedIn

stam
Posts: 2634
Joined: Sun Jun 04, 2006 9:39 pm
Location: London, UK

Re: Mask a Password and reuse the text afterwards

Post by stam » Fri Apr 30, 2021 1:29 am

FourthWorld wrote:
Thu Apr 29, 2021 3:49 pm
Mark contributed some great libraries, but with v9 we now have a messageDigest function that not only supports the older md5 and sha1 but also several lengths of sha2 and sha3.
Thanks for that Richard - great tip - I wasn't aware of messageDigest but it was what i needed ;)
It was extremely easy to retrofit into my current app.

Does anyone know if anyone has written a guide/tutorial for best practices in cryptography in liveCode?

The specific question i have in mind is if it's really necessary to base64encode the generated message digest? - i haven't done this, but it works just fine in a liveCloud database... (ie the stored message digest compares correctly with the message digest derived from user input on login)

Stam

FourthWorld
VIP Livecode Opensource Backer
VIP Livecode Opensource Backer
Posts: 9802
Joined: Sat Apr 08, 2006 7:05 am
Location: Los Angeles
Contact:

Re: Mask a Password and reuse the text afterwards

Post by FourthWorld » Fri Apr 30, 2021 2:01 am

LC's functions return the raw binary form. Many find it convenient to spend a little extra space converting to text. The most common method is hex - use binaryDecode.
Richard Gaskin
LiveCode development, training, and consulting services: Fourth World Systems
LiveCode Group on Facebook
LiveCode Group on LinkedIn

AxWald
Posts: 578
Joined: Thu Mar 06, 2014 2:57 pm

Re: Mask a Password and reuse the text afterwards

Post by AxWald » Fri Apr 30, 2021 9:51 am

Hi,
stam wrote:
Fri Apr 30, 2021 1:29 am
[...] if it's really necessary to base64encode the generated message digest?
You don't really need to base64encode the binary output of messageDigest.

But since there's chars in it that may be shown or not, depending on software/ OS/ locale Settings used, it's a good idea IMHO, especially during development & testing. You may remove the encoding later, in the production system, to save some microseconds :)
Example in the msg box:

Code: Select all

put "LC " & the version & CR & sha1Digest("stam") & CR & base64encode(sha1Digest("stam"))
Result:
encode.png
Comparision
You see? LC 9 just doesn't display the 0x11 (SOH) & 0x01 (DC1) that enclose the SHA line. This may cause confusion.
Looking at the base64Encoded result instead quickly shows that it's all the same. That's why I use it.

Have fun!
All code published by me here was created with Community Editions of LC (thus is GPLv3).
If you use it in closed source projects, or for the Apple AppStore, or with XCode
you'll violate some license terms - read your relevant EULAs & Licenses!

stam
Posts: 2634
Joined: Sun Jun 04, 2006 9:39 pm
Location: London, UK

Re: Mask a Password and reuse the text afterwards

Post by stam » Fri Apr 30, 2021 12:41 pm

AxWald wrote:
Fri Apr 30, 2021 9:51 am
You see? LC 9 just doesn't display the 0x11 (SOH) & 0x01 (DC1) that enclose the SHA line. This may cause confusion.
Looking at the base64Encoded result instead quickly shows that it's all the same. That's why I use it.
Thanks Axwald - what you say makes sense but I get the impression it’s not likely to be an issue for me.

I don’t use a field to store or display the binary data, comparison with values stored in the LiveCloud database are directly compared with the output of a function that takes the user’s entered password as a parameter and returns a Boolean. On limited testing this seemed to work fine, but wasn’t sure if it may cause problems in the future...

jiml
Posts: 336
Joined: Sat Dec 09, 2006 1:27 am
Location: Los Angeles

Re: Mask a Password and reuse the text afterwards

Post by jiml » Fri Apr 30, 2021 4:30 pm

Also check out "ask password" in the Dictionary.

stam
Posts: 2634
Joined: Sun Jun 04, 2006 9:39 pm
Location: London, UK

Re: Mask a Password and reuse the text afterwards

Post by stam » Sun May 02, 2021 1:58 am

jiml wrote:
Fri Apr 30, 2021 4:30 pm
Also check out "ask password" in the Dictionary.
Difficult to know where the "ask pasword" command will be helpful... it certainly works as advertised, which is to say it provides a modal dialog with one field that obscures the text with asterisks and includes non-modifiable OK/Cancel buttons...

It doesn't cater for a username, option to show/hide password, any way to add a buttons (eg to reset password), so use cases for this will be very limited... Anyone creating a log-in system (including the OP) will almost certainly have to roll their own. Not to mention that using asterisks to obscure text looks fairly nasty!

bogs
Posts: 5435
Joined: Sat Feb 25, 2017 10:45 pm

Re: Mask a Password and reuse the text afterwards

Post by bogs » Sun May 02, 2021 10:59 am

stam wrote:
Sun May 02, 2021 1:58 am
jiml wrote:
Fri Apr 30, 2021 4:30 pm
Also check out "ask password" in the Dictionary.
1.) Difficult to know where the "ask pasword" command will be helpful... it certainly works as advertised, which is to say it provides a modal dialog with one field that obscures the text with asterisks and includes non-modifiable OK/Cancel buttons...

It doesn't cater for a username, option to show/hide password, any way to add a buttons (eg to reset password), so use cases for this will be very limited... Anyone creating a log-in system (including the OP) will almost certainly have to roll their own.2.) Not to mention that using asterisks to obscure text looks fairly nasty!
1.) Really? I can think of a 100 places where all you need is something exactly like 'ask password' heh, mostly any situation where you'd have a single entry pass word box where the username is already known (and security is NOT your major reason), or, if the user enters an un-stored name. Unfortunately, in this case, the OP already said in the original post...
fanny wrote:
Mon Apr 26, 2021 2:56 pm
Hello,
<sic>
The ask Password method is no option unfortunately.
2.) Beauty I suppose is in the eye of the beholder, but as far as I know, the lowly asterisk is still by FAR one of the most popular replacement characters for masking password characters. That, and oversized dots.
Image
Image

stam
Posts: 2634
Joined: Sun Jun 04, 2006 9:39 pm
Location: London, UK

Re: Mask a Password and reuse the text afterwards

Post by stam » Sun May 02, 2021 6:15 pm

bogs wrote:
Sun May 02, 2021 10:59 am
Really? I can think of a 100 places where all you need is something exactly like 'ask password' heh
That's probably 99 more than i can ;)
bogs wrote:
Sun May 02, 2021 10:59 am
mostly any situation where you'd have a single entry pass word box where the username is already known
Yeh that's the point - it's more clunky because you either have just have 1 password for all use cases, or you have to have a separate process to choose a username first. You could have a use case for it where a user could need to re-login (for example after a period of inactivity) but the ask password is too limited as you only get OK/Cancel buttons. What do you do if another user wants to use the app for example?
bogs wrote:
Sun May 02, 2021 10:59 am
Beauty I suppose is in the eye of the beholder, but as far as I know, the lowly asterisk is still by FAR one of the most popular replacement characters for masking password characters. That, and oversized dots.
Yeh your experience differs then vastly from mine - and while we could agree to disagree, you can also google examples of obscured password fields as a straw poll of what is commoner - i think you'll find asterisks are not the most prevalent way to do this in general, although of course we all work in fields that may differ from the mainstream.

Oh, and dots definitely do NOT need to be oversized ;) If setting the imageSource then you may well need to alter the margins to ensure the text is still centred vertically when showing dots rather than text.
Another way to do this is so hold the password in a custom property and display the text replaced by the unicode char for black circle instead of using the lazy asterisk: numToCodepoint (0x25CF) is a black circle you can treat like text; i just found that custom props required a lot more code for practically no benefit so i switched to imageSource.

But then that's just me and I'm pretty lazy...

bogs
Posts: 5435
Joined: Sat Feb 25, 2017 10:45 pm

Re: Mask a Password and reuse the text afterwards

Post by bogs » Sun May 02, 2021 10:06 pm

stam wrote:
Sun May 02, 2021 6:15 pm
bogs wrote: ↑
Sun May 02, 2021 5:59 am
mostly any situation where you'd have a single entry pass word box where the username is already known
Yeh that's the point - it's more clunky because you either have just have 1 password for all use cases, or you have to have a separate process to choose a username first. You could have a use case for it where a user could need to re-login (for example after a period of inactivity) but the ask password is too limited as you only get OK/Cancel buttons. What do you do if another user wants to use the app for example?
I think this is where the differences in what we do probably comes into play, but, just like the "logged out/ re-login" situation you mention, I was thinking along the lines of authorization of software use, where you are using a desktop application like, say, Thunderbird (or most any email program), and it asks you for the password to check, say, your email account :D

There is nothing wrong with rolling your own for sure, though.
stam wrote:
Sun May 02, 2021 6:15 pm
bogs wrote: ↑
Sun May 02, 2021 5:59 am
Beauty I suppose is in the eye of the beholder, but as far as I know, the lowly asterisk is still by FAR one of the most popular replacement characters for masking password characters. That, and oversized dots.
Yeh your experience differs then vastly from mine - and while we could agree to disagree, you can also google examples of obscured password fields as a straw poll of what is commoner - i think you'll find asterisks are not the most prevalent way to do this in general, although of course we all work in fields that may differ from the mainstream.
I didn't use Google, but those images posted were from a search for masked passwords in the images section of the search engine, we think somewhat alike I guess, since I used it as a straw poll, as well as remembering what passwords I enter look like in when I enter a website. Out of the 25 tabs I currently have open, 13 are passworded, 6 are asterisks, go figure 7 are dots :P
Image

Post Reply

Return to “Getting Started with LiveCode - Experienced Developers”