[Python-ideas] Secure string disposal (maybe other inmutable seq types too?)

Chris Angelico rosuav at gmail.com
Sat Jun 23 15:55:28 EDT 2018

On Sat, Jun 23, 2018 at 10:11 PM, M.-A. Lemburg <mal at egenix.com> wrote:
> On 23.06.2018 02:45, Chris Angelico wrote:
>> Would it suffice to flag the string as "this contains sensitive data,
>> please overwrite its buffer when it gets deallocated"? The only
>> difference, in your example, would be that the last print would show
>> the original data, and the wipe would happen afterwards. Advantages of
>> this approach include that getpass can automatically flag the string
>> as sensitive, and the "sensitive" flag can infect other strings (so
>> <<pwd + "x">> would be automatically flagged to be wiped). Downside:
>> You can't say "I'm done with this string, destroy it immediately".
> I think the flag is an excellent idea.
> I'm not so sure about the automatic propagation of the flag,
> though. If a string gets interned with the flag set, this
> could lead to a lot of other strings receiving the flag
> without intent.
> Then again, you will probably not want such strings to be
> interned in the first place.

Yeah, I'm not entirely sure about the semantics of infection. There
might need to be a special case, such as "an empty string is never
sensitive", to prevent absolutely EVERYTHING from being infected. What
do other languages do there?

But even if the rules are extremely simple to start with, I think this
will be of value.


More information about the Python-ideas mailing list