Issue 1379447: Keep plaintext password in Password constructor etc.

classification

Title:	Keep plaintext password in Password constructor etc.
Type:	rfe	Severity:	normal
Components:	Interface	Versions:

process

Status:	closed	Resolution:	accepted
Dependencies		Superseder:
Assigned To:	richard	Nosy List:	richard, schlatterbeck
Priority:	normal	Keywords:

Created on 2005-12-13 12:00 by schlatterbeck, last changed 2005-12-13 12:00 by schlatterbeck.

Files
File name	Uploaded	Description	Edit	Remove
patch-pw-simple	schlatterbeck, 2005-12-13 12:00	simple patch for keeping plaintext password
patch-pw-refactor	schlatterbeck, 2005-12-13 12:02	refactor: call setPassword from constructor

Messages
msg3394	Author: [hidden] (schlatterbeck)	Date: 2005-12-13 12:00
The attached patch enables keeping the plaintext password in the Password class in roundup/password.py -- in both, the constructor, and the setPassword method. The benefit: Keeping the plain pw makes it accessible in detectors. This enables us to - make checks on the strength of the pw - generate other pws like, e.g. NT password hash or Lan manager passwords for which we need cleartext. Security consideration: Since python does garbage collection there is no guarantee that a parameter passed to the constructor will be overwritten anytime soon, so there is probably no added insecurity keeping the password. Since python strings are immutable, we can't find a solution that would securely wipe the given password anyway. When we're at it, we might go one step further and refactor the class to call setPassword from the constructor, so that pw computation is only in one place. This has the added benefit that we honor the scheme given in the constructor for new passwords -- currently a scheme given in the constructor is ignored and the created pw is always forced to scheme = default_scheme. This would also fulfill the promise made in the constructor docstring: "Call setPassword if plaintext is not None." Also setPassword does currently not set self.scheme, this is also fixed. - See two patches attached, patch-pw-simple and patch-pw-refactor. Ralf

msg3394

Author: [hidden] (schlatterbeck)

Date: 2005-12-13 12:00

The attached patch enables keeping the plaintext
password in the Password class in roundup/password.py
-- in both, the constructor, and the setPassword method.

The benefit: Keeping the plain pw makes it accessible
in detectors. This enables us to
- make checks on the strength of the pw
- generate other pws like, e.g. NT password hash or Lan 
  manager passwords for which we need cleartext.

Security consideration:
Since python does garbage collection there is no
guarantee that a parameter passed to the constructor
will be overwritten anytime soon, so there is probably
no added insecurity keeping the password. Since python
strings are immutable, we can't find a solution that
would securely wipe the given password anyway.

When we're at it, we might go one step further and
refactor the class to call setPassword from the
constructor, so that pw computation is only in one
place. This has the added benefit that we honor the
scheme given in the constructor for new passwords --
currently a scheme given in the constructor is ignored
and the created pw is always forced to scheme =
default_scheme. This would also fulfill the promise
made in the constructor docstring: "Call setPassword if
plaintext is not None." Also setPassword does currently
not set self.scheme, this is also fixed.

- See two patches attached, patch-pw-simple and
patch-pw-refactor.

Ralf

History
Date	User	Action	Args
2005-12-13 12:00:48	schlatterbeck	create

Roundup Tracker - Issues

Issue 1379447