[fpc-pascal] Processing passwords etc.

[Michael Van Canneyt]

On Fri, 11 Apr 2014, Jonas Maebe wrote:

>
> On 11 Apr 2014, at 10:26, Michael Van Canneyt wrote:
>
>> OTOH, I think people are hugely exaggerating the problem, considering it was introduced relatively recently and that I got my security update before it hit the newspapers.
>
>> That is of course not to say that it shouldn't be fixed and people shouldn't bother.
>> But the way it is presented is more about scaring people than anything else. Hysterics...
>
> I very strongly disagree. All certificates and login data used with
> vulnerable services over the past year or so should be considered
> compromised.  It will probably take months before all affected
> certificates are replaced (if that ever happens for most of them), and
> many of the replaced and hence potentially compromised certificates will
> probably never be revoked.  The result is a huge increase in chances for
> man-in-the-middle attacks, not to mention all the compromised login data
> and private information (emails, bank statements, ...).

Like I said, this is not to say that no action should be taken.
I expect that all sensitive sites (banks, google, etc) have taken immediate action.

That the login of my local tennis/pool/golf club was compromised is not really so scary, sorry.

Anyway, getting off topic.

The main point is that in FPC you can install a memory manager that wipes 
out any memory when getting or releasing it, if you want to make your software more secure that way.

Michael.