Secure Password Usage in Cocoa and NSTask

Question

Secure Password Usage in Cocoa and NSTask

Say I have an NSSecureTextField in my application. Is it okay for me to grab the password into an NSString variable (as I usually wanted) and pass it around my application code? Is it safe or do I need to somehow encrypt a string variable in the application code?

Also (and this is an absolutely critical part of my question): is it safe to pass the NSString password received from NSSecureTextField through NSPipe to standard NSTask input to provide a password for the command line? My main concern is that the OS will write the password somewhere, which would be horrible.

+5

security objective-c cocoa

Enchilada Jun 11 '11 at 19:45

source share

2 answers

. , , , . , , . , .

+3

ughoavgfhw 11 . '11 20:44

Petr abdulin · Accepted Answer · 2011-06-11T20:40:54+0000

In general, as soon as the password leaves the secure store (i.e. NSSecureTextField) and is stored as plain text in memory ( NSStringvariable), it is no longer considered safe. Moreover, a simple text password for the OS is not secure. For a potential attacker, it is quite difficult to get it in the first case (from the memory of your application) and relatively easy in the second case.

Secure Password Usage in Cocoa and NSTask

More articles: