[fpc-pascal] Is it necessary to protect passed passwords in memory?

Tomas Hajny XHajT03 at mbox.vol.cz
Thu Nov 2 08:07:13 CET 2006


On 1 Nov 06, at 18:13, Johannes Nohl wrote:

> > And where do you think the phrase 'My Secret Password' would be stored
> > other than memory?
> 
> so you have to override variables after use? like
> 
> var pwd: array[0..15] of char;
>      xpwd: string;
> 
> [...]
> 
> readln(pwd);
> xpwd := encrypt(pwd);
> pwd := '123456789012345'; // override
> 
> [...]
> 
> ???

Yes, and obviously don't declare it within the 
program (that's what appeared in the original 
example from Marc Pertron) - your example is 
indeed better from this point of view. I'd add 
that the disadvantage of ReadLn (used by you) is 
that it shows typed characters on console and in 
addition, I believe that these characters might 
be temporarily stored in a buffer in memory too 
(before they get overwritten with following 
input).

Tomas



More information about the fpc-pascal mailing list