Securely dealing with passwords in Cocoa and in NSTask
Question
Let's say I have an NSSecureTextField in my app. Is it okay for me to grab the password into an NSString variable (as I normally would) and pass it around my app's code? Is it considered secure, or do I have to somehow encrypt the string variable within the app's code?
Also (and this is an absolutely critical part of my question): Is it secure to pass an NSString password gotten from an NSSecureTextField, via an NSPipe, into the standard input of an NSTask, to supply a password to a command-line tool? My main worry is that the OS would log the password someplace, which would be terrible.
2 answers
solution1
4 ACCPTED 2011-06-11 20:40:54
In general, as soon as password leaves secure storage (ie NSSecureTextField ) and stored as plain text in memory ( NSString variable) it is not longer considered secure. All the more passing plain text password to OS environment is not secure. It's relatively difficult for potential attacker to get it in the first case (from the memory of your app), and relatively easy in the second case.
solution2
3 2011-06-11 20:44:36
It is safe to pass unencrypted data around your application. Other applications cannot access your address space, so as long as you take care of security vulnerabilities, no one can get it. However, you should encrypt it before passing it to another application, if possible. You can't be sure it won't be intercepted between the two.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.