In my little app I have two text-fields for user and password.
KAT.textEmail
KAT.textPassword
MsgBox KAT.textEmail.text + " --> " + KAT.textPassword.textWhen I use this code, the KAT window open.
Can I store such data in these text fields or shall I place them in a Property…?
As long as it works, I really do not mind where and how…!
there are endless possibilities where you can store your vars… use constants or properties in your app. or module context. for more persistent data store it as SQLite database in your users special folders context and read them when your software starts.
but keep in mind that it is not safe and quite uncommon to save users data or any login data uncrypted.
Store the username/password in an ENCRYPTED State… never never as clear text
then when the user enters the username/password to be validated… encrypted their input and compare the two encrypted values
This is how most secure (or somewhat secure) systems do it, and it is also why most of those systems can’t tell you what your password is, and must issue a new one if you “forget” it.
Dave, don’t you mean hash? Not encrypted? 
An encrypted password can be decrypted.
Hashed is what you all mean
[quote=158536:@Jakob Krabbe]In my little app I have two text-fields for user and password.
KAT.textEmail
KAT.textPassword
MsgBox KAT.textEmail.text + " --> " + KAT.textPassword.textWhen I use this code, the KAT window open.
Can I store such data in these text fields or shall I place them in a Property…?
As long as it works, I really do not mind where and how…![/quote]
Jakob, This is a very complex subject area and as @Tomas Jakobs states there are so many possibilities. You will find one persons advice is another persons warning. One method may seem safe while someone else tells you the dangers associated with using such a method. Storage of personal details and usernames/passwords has to be well thought out. Imagine your app revels someones username and password to an unscrupulous character, that user may use that same password to log in to twitter, Facebook, their bank or even more.
You should read, and read and read all over the web to look at different methods and then decide yourself which you think best fits your scenario. With respect, I think advising you based on the lack of information you have provided about what you are trying to do would be impossible.
I think there are two scenarios here which may require different strategies and the intermingling of term Hash and Encryption is confusing:
In the first scenario the user will enter their username and password every time the app loads. You can hash these and save the hashes to a file (although I am not sure why you would want to). When the user wants to login they re-enter their username and password and you simply hash those and compare to what you previously stored, if they match the user entered the correct data. This is a very simple approach and what you store and save should obviously be obfuscated, even if you are using a hash. I would say in this scenario there really is no need to store anything and the hash should be done on the fly.
The second scenario is when you want to give the user the ability to save their login information to their computer so it will automatically allow them to login in, i.e. “remember me on this computer” (facebook, twitter, etc. etc.). In that case you will at least need to retrieve the user’s login, not it’s hash. Since hash cannot go backwards (de-hash) to get the user name, then encryption and decryption of the username appears to be the only option. In this case I believe the username should be encrypted and the password should be hashed.
Am I correct with my understanding of these two scenarios and underlying strategies?
I agree!
Jakob Krabbe? Still alive? Hope we all have not overkilled you with this mass of information
Thank you!
No, it’s fine!
Encryption is not the question. It was not what I asked…
It’s all me, all my fault. I asked the wrong question!
I will store the email and the random made password in a protected module. It seems to work.
Protected Modules are good for me. They seem less confusing than the rest of IDE.
The IDE is all false advertisement. Because if you have a neat feature as you wish to use in a different part of the software, then unexpected events are triggered and … a simple task becomes mega complex situation for no obvious reason.
In Protected Modules there are no such surprises. I don’t like surprises, not this kind.
Notes is a neat feature!
I love it! Or?
Any unexpected surprises that will come with the notes!?
we all do that. don’t take it hard. Just ask the question the best you can, and the community will help you. Even if you ask the question with the wrong diction/prose.
believe me you aren’t the first and won’t be the last. I have don’t it recently myself.
sb
There is a really good article written by Thom McGrath here , which discusses storing passwords securely in Xojo, with some example code and some background to the whole process. It uses random salts and hashing.
Its definitely worth a read.
I have used this in a couple of projects using SQLite and feel quite confident with it. And for what its worth, I have implemented it each time using a module.
Hi,
I made a game which save the scrore of the players in a text file. I made my own encrypt / decrypt method which encrypt the name of the player, and his score. When I launch the app, I have to decrypt all of this to have the score. (I need the two ways).
I do it do avoid people who want to edit the text file with a false high score. Then no need to be very secure.
But I wonder if there is a Xojo function for that. Ii seems to be that Crypto.RSADecrypt
RSAEncrypt and RSADecrypt can only handle small amounts of data, but that’s all you’d need in this case.
However, I wonder if you could just store the hash of the remainder of your file within the file? Someone who tries to manually change one part would have to update the hash too. If you use PBKDF2 to generate the hash, they’d have to know your settings, so the task becomes much harder.
[quote=158869:@Thomas ROBISSON]Hi,
I made a game which save the scrore of the players in a text file. I made my own encrypt / decrypt method which encrypt the name of the player, and his score. When I launch the app, I have to decrypt all of this to have the score. (I need the two ways).
I do it do avoid people who want to edit the text file with a false high score. Then no need to be very secure.
But I wonder if there is a Xojo function for that. Ii seems to be that Crypto.RSADecrypt[/quote]
Why not just use an encrypted SQlite Database? 
Even that might be an issue because somewhere you need to store the EncryptionKey. If you put in plaintext in code someone could read it using a Hex editor. You have to hide that in code too.
For non highly critical projects, i just obfuscate the Enc.Key 
For all the other stuff, i have my Einhugur PlugIns 
Thank ypu for yours answers. I never used SQLite, and I think my license doesn’t allow it.
I didn’t think to store data in clear and the hash, and compare them when load score. If the hash is not the same then remove this score.
I have another application which pick up and remove emails from many emails accounts at a time. Then I store email account password so the user doesn’t have to enter them each time he launch the app. I save them in KeychainAccess (Mac). The user have the option to install the application on a USB stick, in this case he can save his preferences in a folder on this USB stick. His passwords are in this file, encrypt with my simple own method. I don’t want to ask him his password each time he launch the app (but he can decide to do so). It’s not a big problem as he keep his USB stick with him. The trouble could be if he lost it. In this case he has to change his paswwords.
You may want to have a look here : https://forum.xojo.com/13818-faster-encyrption-obscuration-than-rc4-for-large-24mb-15mb-file
Thank you.