KPasswordEdit and security
Frans Englich
englich at kde.org
Mon Jan 1 12:45:19 GMT 2007
On Tuesday 26 December 2006 22:17, Albert Astals Cid wrote:
> Hi, KPasswordEdit is using a char * internally to store the password. There
> is a note in the header that says "I believe this is safer than a
> QString.". I'm not much into security but i would want some confirmation if
> it is safer to use a char* than a QString.
>
> I'm asking this because i want to fix bug 138997, a bug in KPasswordEdit
> (storing char * and some input method related things) makes it impossible
> to input passwords with non-ascii characters. One could fix that porting
> that internal char* to internal ushort*, but that's not trivial, and if
> there is no strong security reason i think we can just drop KPasswordEdit
> altogether for KDE4 and use QLineEdit.
Apart from the security discussions up til now("one can use QSecureArray or
lock memory pages"), I think they step aside from what this thread brings up:
that KPasswordEdit can't handle Unicode. I find that quite a severe bug.
So, perhaps a good start is to take Unicode support into account before
looking at more sophisticated security measures(which I as well question
whether it's doable globally in KDE and if it doesn't belong on the OS
level).
Cheers,
Frans
More information about the kde-core-devel
mailing list