Geek Answers Handbook

Are passwords stored in memory secure?

I prefer to store the user password in memory for later use.

var credentials = {}; function register(username,password){ //when users click sign up credentials.username = username; creadentials.password = password; } function login(){ //Users can click login at anytime. Or they just don't. ajax('/User/login',credentials).then(function(){ credentials = {}; }); }

Do I have to worry about security with this approach? If this is a bad idea, how do attackers get the password?

+5
source share
3 answers

The question is, what kind of attack are you trying to prevent?

When you try to think that something is safe or not try to list possible attackers, and then see if they can attack it. For example, in this case:

  • Outside device attacker (network-based):

    The password in the internal memory is safe in every way.

  • Attacker on the device, another user, not an administrator

    The password in the internal memory is safe in all respects, since OS restrictions do not allow an attacker to gain access to the memory block.

  • Attacker on the device, same user, non-administrator

    A password in memory may be skipped if an attacker can gain access to the system under the same user account as your code.

  • Attacker on the device, another user, root

    This is the same as above, the password may be leaked.

However, there is important information. If an attacker can gain access as the same user or root, you have problems with FAR. For example, they may prevent your code from sending all passwords (when they are entered) remotely.

Thus, in practice, the password will leak anyway.

However, there is one major exception. Imagine that you get segfault in an application. The OS takes a core dump. If you saved the password in plain text, the password is in this kernel with explicit text. This is a pretty significant problem.

Recommendations

Almost any attacker who could read a plain text password could do other unpleasant things, we want to practice comprehensive protection. This means that you get a multi-stage brochure for intruders. We do not want to make life easier for them.

Therefore, I suggest not storing passwords in text format. If you need a plaintext password later (to log in to remote systems or something else), I would suggest backchitect not to use (use OAuth2 or a federated auth system). But if you should at least encrypt it with a key that is not stored (or at least stored) in memory.

It would be even better to use a single-line hash, just like for storage (using bcrypt, scrypt, pbkdf2, etc.).

+4
source

Any point at which an attacker could gain access to a plaintext password is a problem. On the other hand, scenarios where this will attack, while alternatives are not extremely rare (although I can think of a few).

In any case, what do you want to do is allow the user to log in after registration, perhaps waiting for confirmation of confirmation of mail? In this case, it would be better to store the username and password in memory on the server side, since it still gives you all the same advantages without the risk of its sudden detection. And ideally, you do not store the password on server memory, just the username and flags / timestamp that the password was right.

+2
source

In any case, you will have a password "in memory", but not for long. The longer he hangs around, the more likely he is to be sniffed. But, if someone is able to sniff out passwords from your memory first, you are already compromised without hope. Essentially, it will not make much difference whether you save it longer or not.

It may or may not say anything about the security of the rest of your AJAX / REST infrastructure, perhaps you should not use unencrypted passwords for this. For example, go to a token system in which a plaintext password is not required after the initial authentication. But it is too wide to say from the fragment that we see.

+1
source

More articles:


All Articles