[Python-ideas] Secure string disposal (maybe other inmutable seq types too?)

Chris Angelico rosuav at gmail.com
Sat Jun 23 00:08:01 EDT 2018

On Sat, Jun 23, 2018 at 2:00 PM, Terry Reedy <tjreedy at udel.edu> wrote:
> On 6/22/2018 8:45 PM, Chris Angelico wrote:
>> Would it suffice to flag the string as "this contains sensitive data,
>> please overwrite its buffer when it gets deallocated"? The only
>> difference, in your example, would be that the last print would show
>> the original data, and the wipe would happen afterwards. Advantages of
>> this approach include that getpass can automatically flag the string
>> as sensitive, and the "sensitive" flag can infect other strings (so
>> <<pwd + "x">> would be automatically flagged to be wiped). Downside:
>> You can't say "I'm done with this string, destroy it immediately".
> But one can be careful about creating references, and in current CPython,
> deleting the last reference does mean destroy, and possibly wipe,
> immediately.

Yes, you can, for the most part. It's certainly possible to get stung
(eg exceptions retaining locals), but mostly it should be fine.

How will other Pythons handle this?


More information about the Python-ideas mailing list