[fpc-pascal] Is it necessary to protect passed passwords in memory?
Marc PERTRON
marc.pub at finistware.com
Wed Nov 1 16:55:19 CET 2006
Johannes Nohl a écrit :
> Dear list,
>
> I was thinking of writing a daemon in freepascal. When the program is
> started it will ask for a password. Then keep the pass in a string
> variable, using it every 10 minutes.
>
> It's not for an high security environment but I'm interested in
> general. How to protect those information in memory?
Under Linux or BSD, only the owner can access the memory of his program.
So if launched by root, only readable by root.
If possible, store a hash and not a clear password, just to be paranoid
as we should :o)
Ex :
var
salt : string;
pwd : string;
begin
salt := 'Something random or my software name, just used to avoid
dictionary attacks';
pwd := md5('My Secret Password' + salt);
end;
So only a hash is stored in pwd, and it's unique.
But always remember that local access to a computer = quit easy to hack
anything, unless you use strong cryptography.
--
Marc
More information about the fpc-pascal
mailing list