Ikke's Blog

Post details: Getting rid of a password string

Mar 4
Getting rid of a password string

@Philip:
During your talk at FOSDEM you showed some of the Tinymail code, eg the Account Store implementation on top of GConf.
Something in there took my attention: in per_account_forget_pass_func you memset the password to 0's, and free it. The day before I was working on a new IMAP server installation based on Dovecot, and while browsing the website I came across the Secure Coding techniques used by the author.
One of the parts I remembered:

When dealing with passwords and such, erase them from memory after you
don't need it anymore. Note that such memset() may be optimized away by
compiler, use safe_memset().

Where safe_memset is basicly a braindead simple re-implementation of memset. Might be interesting ;-)
It's useful to read the whole text anyway for everyone dealing with C code that needs a certain level of secure string handling.

Oh well, back to Dia.

Comments:

Comment from: Timo Sirainen [Visitor]
BTW. I got the idea from this thread:

http://seclists.org/lists/bugtraq/2002/Nov/0048.html
PermalinkPermalink 03/06/06 @ 08:50
Comment from: gi5geg [Visitor] · http://www.google.com/sf905hf
http://www.google.com/sf905hf gi5geg brin gi5geg brin [URL=http://www.google.com/sf905hf]gi5geg[/URL] be$t
http://www.google.com/345gfrw dshf95g rulez dshf95g rulez [URL=http://www.google.com/345gfrw]dshf95g[/URL] brin
[URL=http://www.google.com/349gfff]45hgfhg[/URL] be$t 45hgfhg brin http://www.google.com/349gfff 45hgfhg rulez
PermalinkPermalink 04/21/06 @ 01:03
Comment from: Boris Eltsin [Visitor] · http://libe.htmlplanet.com/meridia.htm
I thik you're right. So go on. Boris.
PermalinkPermalink 04/21/06 @ 01:30

Leave a comment:

Your email address will not be displayed on this site.
Your URL will be displayed.

Allowed XHTML tags: <p, ul, ol, li, dl, dt, dd, address, blockquote, ins, del, span, bdo, br, em, strong, dfn, code, samp, kdb, var, cite, abbr, acronym, q, sub, sup, tt, i, b, big, small>
(Line breaks become <br />)
(Set cookies for name, email and url)
(Allow users to contact you through a message form (your email will NOT be displayed.))

Categories

Who's Online?

  • Guest Users: 467

Misc

XML Feeds

What is RSS?