KPasswordDialog

Stefan Taferner taferner at kde.org
Fri Nov 5 07:01:19 GMT 2004


Am Freitag, 5. November 2004 01:06 schrieb Ingo Klöcker:
[...]
> > I notice the careful attention to using a char* for storing the
> > password, but is this really necessary?  I think QString is perfectly
> > acceptable - we have many other ways people can steal passwords from
> > memory anyway.
>
> Does the operating system clean memory pages after they are freed or
> before they are alloc'ed? If not, then an attacker could simply alloc
> memory and search it for freed passwords. By using char* this threat
> can be countered by zeroing the password before the memory is freed.

The operating system does not clear memory at all (for performance reasons).
Some memory allocation methods do this (calloc for example), but AFAIK
malloc not.

> The other threat is that passwords are written to the swap partition.
> This can only be countered by using mlock'ed char* memory. mlocking
> QString is impossible (unless you or Qt writes QSecureString).

Thats the old discussion if you can trust root or not. Some years ago there
was some consens that you should not use these things on a computer where
you do not trust root. Simply because root can replace any program with
a version that logs your input.

--Stefan




More information about the kde-core-devel mailing list