after a user has entered the required encryption-key, if she/he wants to change it, should he be asked again for the key in order to proceed and change it, or is this step redundant?
I believe it’s a common practice for security.
I’d do it.
Absolutely request it again. Consider the scenario where a user had logged in and had been called away without logging out. If you don’t re-request the key anyone could change it.
I would also add: make the user enters the new encryption key in twice (in two separate TextField’s) and make sure that both strings match using StrComp (remember that Xojo string comparison is non-case sensitive so you have to use StrComp).
Thank you all for the suggestions and clarification.