[fpc-pascal] Is it necessary to protect passed passwords in memory?

Marc PERTRON marc.pub at finistware.com
Wed Nov 1 16:55:19 CET 2006

Johannes Nohl a écrit :
> Dear list,
> I was thinking of writing a daemon in freepascal. When the program is
> started it will ask for a password. Then keep the pass in a string
> variable, using it every 10 minutes.
> It's not for an high security environment but I'm interested in
> general. How to protect those information in memory?
Under Linux or BSD, only the owner can access the memory of his program. 
So if launched by root, only readable by root.
If possible, store a hash and not a clear password, just to be paranoid 
as we should :o)
Ex :

  salt : string;
  pwd : string;
  salt := 'Something random or my software name, just used to avoid 
dictionary attacks';
  pwd := md5('My Secret Password' + salt);

So only a hash is stored in pwd, and it's unique.
But always remember that local access to a computer = quit easy to hack 
anything, unless you use strong cryptography.

More information about the fpc-pascal mailing list