Thansk to all that responded to my query - think I can get on the right
path now.
mikeB
On 08/13/2017 02:36 PM, Tony Morehen wrote:
Don't use .hidden. There is nothing secure about and its only used by
the development/installation environments. Hidden directories in
general do nothing for security.
Don't worry about open source/GNU. All encryption programs use the
same well known algorithms. It's passwords that guarantee security,
not the algorithm. BTW, like hidden files, there is no security from
obscurity.
As far as shelling to a third-party encryption program like gpg or
openssl, those programs are good and produce secure outputs, depending
of course on the algorithm selected. However, the act of shelling
exposes you to several attacks like man-in-the-middle. Not recommended.
So internal encryption is recommended and Gambas has the gb.crypt and
gb.openssl components to lighten your workload. Also, gb.desktop has
several password-related functions that can save and retrieve
passwords from your system's wallet/keyring.
gb.crypt includes several one way hash algorithms like md5 or
sha-256. With these, you save the password hash and then compare
hashes on future logins. With these, you never save the actual
passwords and the hashes are virtually impossible to decrypt.
For two way encryption, where you need to go from plain text to
encrypted text back to plain text, look at gb.openssl. It has methods
for symmetric encryption (one password to both encrypt and decrypt
text) and for asymmetric encryption(two passwords, one to encrypt and
one to decrypt). Public key private key encryption is an example of
the latter. Text encrypted with the private key can only be decrypted
by the public key and vice versa.
On 2017-08-13 01:59 PM, mikeB wrote:
eGreeetings,
I am starting a project that involves encryption of passwords and
user names - storing and recalling them.
1st ? = i noticed Gambas can save and recall files from a ".hidden"
directory. If the files are encrypted before
saving to a hidden dir - how secure is this? In other words would an
experienced coder be able to find and
copy these files? Would this be the secure/ recommended way/ place to
store these files?
2nd ? = shelling out to the "gpg" command line to encrypt / decrypt
the password files be a secure way of
doing this or is there a better way (i.e. writing the encryption code
within the Gambas project)?
3rd ? = Now a GNU question from a real newbie on this subject. With
this type of program (Protected Passwords)
how in the heck could it be released under GNU? Or should it be?
Don't understand how it could possibly be
"protected" if the source code was available to all?
Any suggestions, from the group, would be GREATLY APPRECIATED!
mikeB
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Gambas-user mailing list
Gambas-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/gambas-user
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Gambas-user mailing list
Gambas-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/gambas-user
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Gambas-user mailing list
Gambas-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/gambas-user