Don't use .hidden. There is nothing secure about and its only used by
the development/installation environments. Hidden directories in
general do nothing for security.
Don't worry about open source/GNU. All encryption programs use the same
well known algorithms. It's passwords that guarantee security, not the
algorithm. BTW, like hidden files, there is no security from obscurity.
As far as shelling to a third-party encryption program like gpg or
openssl, those programs are good and produce secure outputs, depending
of course on the algorithm selected. However, the act of shelling
exposes you to several attacks like man-in-the-middle. Not recommended.
So internal encryption is recommended and Gambas has the gb.crypt and
gb.openssl components to lighten your workload. Also, gb.desktop has
several password-related functions that can save and retrieve passwords
from your system's wallet/keyring.
gb.crypt includes several one way hash algorithms like md5 or sha-256.
With these, you save the password hash and then compare hashes on future
logins. With these, you never save the actual passwords and the hashes
are virtually impossible to decrypt.
For two way encryption, where you need to go from plain text to
encrypted text back to plain text, look at gb.openssl. It has methods
for symmetric encryption (one password to both encrypt and decrypt text)
and for asymmetric encryption(two passwords, one to encrypt and one to
decrypt). Public key private key encryption is an example of the
latter. Text encrypted with the private key can only be decrypted by
the public key and vice versa.
On 2017-08-13 01:59 PM, mikeB wrote:
eGreeetings,
I am starting a project that involves encryption of passwords and user
names - storing and recalling them.
1st ? = i noticed Gambas can save and recall files from a ".hidden"
directory. If the files are encrypted before
saving to a hidden dir - how secure is this? In other words would an
experienced coder be able to find and
copy these files? Would this be the secure/ recommended way/ place to
store these files?
2nd ? = shelling out to the "gpg" command line to encrypt / decrypt
the password files be a secure way of
doing this or is there a better way (i.e. writing the encryption code
within the Gambas project)?
3rd ? = Now a GNU question from a real newbie on this subject. With
this type of program (Protected Passwords)
how in the heck could it be released under GNU? Or should it be? Don't
understand how it could possibly be
"protected" if the source code was available to all?
Any suggestions, from the group, would be GREATLY APPRECIATED!
mikeB
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Gambas-user mailing list
Gambas-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/gambas-user
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Gambas-user mailing list
Gambas-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/gambas-user
