Secure Passwords in Memory
bmcd at es.co.nz
Sun Oct 1 00:28:17 CEST 2000
On Sat, 30 Sep 2000 16:05:05 -0500, Eric Gillespie, Jr. <epg at progenylinux.com>
>I searched DejaNews and found some similar topics, but nothing
>which really answered my question. I need to get the root
>password from the user to exec a program which requires root
>privileges. I would like to immediately zero out the memory used
>to store the password.
>This is easy in a language such as C, but i don't want to write a
>module just for this. I doubt 'del pw' or
>for i in range(len(pw)):
> pw[i] =3D 0
If you store the password either in a string, or in a list of characters
(strings with length 1), or a list of integers, then this isn't going to work,
because Python strings and numbers are immutable. Even the list contents will
likely remain in the heap in order once freed.
More deviously, you could store the input as characters in an array object
(array module), and use fromfile and tofile to move them around. You would then
be able to erase the memory directly. However, even in this case, I can't
guarantee that copies aren't going to be made, but I think it is less likely.
The individual keystrokes would still be captured and may not have been
overwritten, but this is less likely to be a problem.
Ben Caradoc-Davies <bmcd at es.co.nz>
More information about the Python-list