Erase the unencrypted password from memory
@YumcoderThe Password File: /etc/passwd
The system password file, /etc/passwd , contains one line for each user account on the system. Each line is composed of seven fields separated by colons ( : )
Login name: password: User ID (UID): Group ID (GID): Comment: Home directory:Login shell
the password field in /etc/passwd conventionally contains the letter x, meaning that the encrypted password saved in the shadow password file /etc/shadow.
Example
Having a program to read a password and then validates that password:
1- get a user Login name (A)
2- read saved password field of A from /etc/passwd and saved in pwd
3- read saved encrypt password of A from /etc/shadow and saved in spwd
4- if shadow password exists the user password is spwd else pwd
5- get user password in plain text from the command line
6- encrypt user password
7- Erase the unencrypted password from memory
8- compare 6 and 4
code exmple: https://gist.github.com/YumcoderCom/784cbdc74cf34d299dd2dfbaf2529ccf
Programs that read a password should immediately encrypt that password and erase the unencrypted version from memory.
- This minimizes the possibility of a program crash producing a core dump file that could be read to discover the password.
- There are other possible ways in which the unencrypted password could be exposed. For example, the password could be read from the swap file by a privileged program if the virtual memory page containing the password is swapped out. Alternatively, a process with sufficient privilege could read /dev/mem (a virtual device that presents the physical memory of a computer as a sequential stream of bytes) in an attempt to discover the password.
Reference: The Linux Programming interface, A Linux and UNIX System Programming Handbook, Michael KerrisK.