[fpc-pascal] is scrypt available?
Mark Morgan Lloyd
markMLl.fpc-pascal at telemetry.co.uk
Fri Oct 30 10:40:32 CET 2015
wkitty42 at windstream.net wrote:
> On 10/29/2015 01:08 PM, Frederic Da Vitoria wrote:
>> Good point. I'd even ask the question: do you really need to store the
>> passwords? IOW, do you want to be able to send them back to the user?
>> Or do
>> you only need to check them?
>
> in the use case being studied, passwords can only be compared or reset...
They also have to be created, and unless you're careful that will leave
copies around the place in clear.
getPasswordFromUserWithRepeat(password);
password := salt + password;
If the string isn't already long enough, that second operation might
create a new one on the heap without sanitising the original. This was
discussed here a year or so ago [April '14] and it was agreed to be a
problem, Michael VC contributed a fix but it's not the default.
Now that might seem to be a strictly local problem, but an increasing
number of systems are implementing suspend/resume or process migration,
which could leave sensitive data on disc or move it over a network.
--
Mark Morgan Lloyd
markMLl .AT. telemetry.co .DOT. uk
[Opinions above are the author's, not those of his employers or colleagues]
More information about the fpc-pascal
mailing list