[Python-ideas] Secure string disposal (maybe other inmutable seq types too?)

Chris Angelico rosuav at gmail.com
Fri Jun 22 20:45:50 EDT 2018

On Sat, Jun 23, 2018 at 10:31 AM, Ezequiel Brizuela [aka EHB or
qlixed] <qlixed at gmail.com> wrote:
>   I propose to make the required changes on the string objects to add an
> option to overwrite the underlying buffer. To do so:
>   * Add a wiped as an attribute that is read-only to be set when the string
> is overwrited.
>   * Add a wipe() method that overwrite the internal string buffer.

Since strings are immutable, it's entirely possible for them to be
shared in various ways. Having the string be wiped while still
existing seems to be a risky approach.

> So this will work like this:
>>>> pwd =getpass.getpass('Set your password:') # could be other sensitive
>>>> data.
>>>> encrypted_pwd = crypt.crypt(pwd)  # crypt() just as example.
>>>> pwd.wiped  # Check if pwd was wiped.
> False
>>>> pwd.wipe()  # Overwrite the underlying buffer
>>>> pwd.wiped  # Check if pwd was wiped.
> True
>>>> print(pwd)  # Print noise (or empty str?)
>>>> del pwd  # Now is in hands of the GC.

Would it suffice to flag the string as "this contains sensitive data,
please overwrite its buffer when it gets deallocated"? The only
difference, in your example, would be that the last print would show
the original data, and the wipe would happen afterwards. Advantages of
this approach include that getpass can automatically flag the string
as sensitive, and the "sensitive" flag can infect other strings (so
<<pwd + "x">> would be automatically flagged to be wiped). Downside:
You can't say "I'm done with this string, destroy it immediately".


More information about the Python-ideas mailing list