KPasswordEdit patch (was Re: new widgets...)

Neil Stevens neil at
Sun Sep 29 03:29:26 BST 2002

Hash: SHA1

On Saturday September 28, 2002 07:11, Malte Starostik wrote:
> It's not only about writing it to swap/disk (that was what the mlock
> patch would do, but only for root). Think about a multi-user system with
> an OS that doesn't guarantee memory is zeroed-out. User a enters a
> password and the process that provided the password edit exits. User b
> was monitoring this and allocs huge amounts of memory, in the hope he
> gets the physical memory user a had before. If he succeeds, he can read
> the password. Granted, it takes some luck but it's possible.

But that still fails.  Or are you also clearing the memory used by X (for 
input of the password) and by your network stream (for output of the 

If you assume an insecure OS, you lose no matter what your code does.  But 
if you assume a secure OS, then you don't need to resort to cheap tricks 
like these.  Either way, it's a waste of time.

- -- 
Neil Stevens - neil at
"I always cheer up immensely if an attack is particularly wounding
because I think, well, if they attack one personally, it means they
have not a single political argument left." - Margaret Thatcher
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see


More information about the kde-core-devel mailing list