password visible in memory

Author: lalitpct@gmail.com (lalitpct)


after logging into the application when the memory viewer application is used we are able to see the username password in memory
we kept the username password in a string as shown below which seems to be stored in memory
$logstr$= "|%%id|%%pass" , does pathscrambler fixes this memory issue or do we need to have some other way to fix it?

4 Comments

  1. Im sure you can use the uniface provided encrypt/decrypt routines to have something more unreadable in memory and decode it wherever you need it.

    But is it worth all that because at least in the variable you have the readable text.

     

    SO the best advice would be: do not store $logstr$ at all.


    Author: ulrich-merkel (ulrichmerkel@web.de)

  2. we have several database (schemas) so while using sql statement $logstr$ is used to login to those
    for eg
    1)we have syabse db which has datbase a,b,c
    2)for the first time when uniface logs in (for example a), it sets this $logstr$ for username and password by prompting to user
    3)next time when it tries to login into b it checks $logstr$ , if it has value it logs in without asking for password

    Is this problem because I have used component variable?


    Author: lalitpct (lalitpct@gmail.com)
  3. Hi lalit,

    in fact it does not matter what kind of variable it is:

    If you store it for your user's convenience, ist is "visible" somewhere in the memory.
    The alternative is (for secutities sake) to prompt the user for each database for the password.
     

    But at least when you send the logon-info to your database; someone with the right tools may pick it up.

     

    So security is an illusion at all


    Author: ulrich-merkel (ulrichmerkel@web.de)
  4. Waht about using a function like this:

    ENTRY LF_LOGSTR
    returns string
    ; ID and PASS also encrypted by surrounding "x"
    ; ID       = "xmxyx_xixd"
    ; PASS = "xaxpxaxsxsxwxoxrxd"
    RETURN($replace("x|%%id%%%x|%%pass%%%",1,"x","",-1)
    END:

    ...

    OPEN LF_LOGSTR(),"DEF"

     

    So there is not hint in memory about the id and/or password.

    Okay, the (parameter) stack could hold informations about the logstring, but only for a short time.

    Ingo


    Author: istiller (i2stiller@gmx.de)