Secure Passwords in Memory
Peter Hansen
peter at engcorp.com
Sun Oct 1 17:31:56 EDT 2000
"Eric Gillespie, Jr." wrote:
>
> I searched DejaNews and found some similar topics, but nothing
> which really answered my question. I need to get the root
> password from the user to exec a program which requires root
> privileges. I would like to immediately zero out the memory used
> to store the password.
>
> This is easy in a language such as C, but i don't want to write a
> module just for this. I doubt 'del pw' or
I would be cautious about assuming whatever technique you come up with
is *really* clearing out the password, even if you wind up writing it in
C.
Have you considered other areas such as virtual memory? If the process
can be swapped out at any time, your OS could be placing multiple copies
of the password in the filesystem, and when it is later swapped back in,
in other places in memory.
Without having *full* control over the region of memory where the
password is stored, you're probably wasting much of your time with this
and lulling yourself or your users into a false sense of security.
--
Peter Hansen
More information about the Python-list
mailing list