[fpc-pascal] Is it necessary to protect passed passwords in memory?
Marc PERTRON
marc.pub at finistware.com
Sun Nov 5 09:53:31 CET 2006
Tomas Hajny a écrit :
> On 1 Nov 06, at 18:13, Johannes Nohl wrote:
>
> Yes, and obviously don't declare it within the
> program (that's what appeared in the original
> example from Marc Pertron) - your example is
> indeed better from this point of view. I'd add
> that the disadvantage of ReadLn (used by you) is
> that it shows typed characters on console and in
> addition, I believe that these characters might
> be temporarily stored in a buffer in memory too
> (before they get overwritten with following
> input).
>
Of course my example or the ReadLn are because we don't know your
program and where the password comes from.
It appears obvious that you should not write the password in clear text
in the software if you want it not to be read from memory !
It was an example for hashing password which are one of the best
solution but need a salt to avoid dictionary attacks.
Marc
More information about the fpc-pascal
mailing list