[fpc-pascal] Is it necessary to protect passed passwords in memory?

Marc PERTRON marc.pub at finistware.com
Sun Nov 5 09:53:31 CET 2006

Tomas Hajny a écrit :
> On 1 Nov 06, at 18:13, Johannes Nohl wrote:
> Yes, and obviously don't declare it within the 
> program (that's what appeared in the original 
> example from Marc Pertron) - your example is 
> indeed better from this point of view. I'd add 
> that the disadvantage of ReadLn (used by you) is 
> that it shows typed characters on console and in 
> addition, I believe that these characters might 
> be temporarily stored in a buffer in memory too 
> (before they get overwritten with following 
> input).
Of course my example or the ReadLn are because we don't know your 
program and where the password comes from.
It appears obvious that you should not write the password in clear text 
in the software if you want it not to be read from memory !
It was an example for hashing password which are one of the best 
solution but need a salt to avoid dictionary attacks.

More information about the fpc-pascal mailing list