[fpc-pascal] is scrypt available?

Mark Morgan Lloyd markMLl.fpc-pascal at telemetry.co.uk
Fri Oct 30 10:40:32 CET 2015

wkitty42 at windstream.net wrote:
> On 10/29/2015 01:08 PM, Frederic Da Vitoria wrote:
>> Good point. I'd even ask the question: do you really need to store the
>> passwords? IOW, do you want to be able to send them back to the user? 
>> Or do
>> you only need to check them?
> in the use case being studied, passwords can only be compared or reset...

They also have to be created, and unless you're careful that will leave 
copies around the place in clear.

password := salt + password;

If the string isn't already long enough, that second operation might 
create a new one on the heap without sanitising the original. This was 
discussed here a year or so ago [April '14] and it was agreed to be a 
problem, Michael VC contributed a fix but it's not the default.

Now that might seem to be a strictly local problem, but an increasing 
number of systems are implementing suspend/resume or process migration, 
which could leave sensitive data on disc or move it over a network.

Mark Morgan Lloyd
markMLl .AT. telemetry.co .DOT. uk

[Opinions above are the author's, not those of his employers or colleagues]

More information about the fpc-pascal mailing list