KPasswordEdit and security

Richard Moore richmoore44 at gmail.com
Wed Dec 27 21:03:38 GMT 2006


On 12/27/06, Thiago Macieira <thiago at kde.org> wrote:
> But this begs the question: does it do any good to lock the page where the
> password char-array is stored? Consider what you said: networking
> buffers, X and Qt's event system, Qt itself, etc.

It certainly raises the bar for recovering the password. Unfortunately
as soon as we come to use the password for anything we'd need to take
the same precautions otherwise we'd just be copying it into an
unprotected buffer. If we really want to do this then we'd need to
ensure we use this carefully throughout KDE and all associated
libraries. I'm not sure this is feasible in practice.

If we were to attempt something like this, we might be able to make a
valgrind skin or something that tracked where the password got copied
to in order to allow us to detect places that need fixing.

Rich.




More information about the kde-core-devel mailing list