Ikke's Blog

Archives for: March 2006

Mar 4
Getting rid of a password string

During your talk at FOSDEM you showed some of the Tinymail code, eg the Account Store implementation on top of GConf.
Something in there took my attention: in per_account_forget_pass_func you memset the password to 0's, and free it. The day before I was working on a new IMAP server installation based on Dovecot, and while browsing the website I came across the Secure Coding techniques used by the author.
One of the parts I remembered:

When dealing with passwords and such, erase them from memory after you
don't need it anymore. Note that such memset() may be optimized away by
compiler, use safe_memset().

Where safe_memset is basicly a braindead simple re-implementation of memset. Might be interesting ;-)
It's useful to read the whole text anyway for everyone dealing with C code that needs a certain level of secure string handling.

Oh well, back to Dia.


Who's Online?

  • Guest Users: 471


XML Feeds

What is RSS?