"Use this function instead of ZeroMemory when you want to ensure that your data will be overwritten promptly, as some C++ compilers can optimize a call to ZeroMemory by removing it entirely."
Managing passwords is tricky.
Edit: answering: "I don't see the post talking about zeroing memory anywhere?": Exactly. But it uses "free".
free(wbuf);
It is freed without being zeroed. Without demonstrating freeing, and without having the "clean up" part it would not matter. With it, and the given context (writing about using APIs to handle passwords), it does matter, and you should care too. Even more so if you a) aren't aware of the possibility of the compiler optimizations b) haven't even thought about the possible "leaking" issues.
Right, at least, avoiding C allocation and deallocation functions can surely give one more control over the used memory segment. And I am not aware of any discussion of the positive or negative aspects of CryptMemAlloc and CryptMemFree.
Does the memory managed by these functions have any special properties? The docs don't mention any, other than that these functions are used by Crypt* functions that return buffers (i.e., client sshould free returned buffers with CryptMemFree).
> Does the memory managed by these functions have any special properties?
That's what I'd like to read too. It's surely possible to figure that out. Obviously, nothing special is promised by the description of the functions.
I know that some people, long ago, even wrote their own kernel drivers to make sure some part of the memory won't end in the virtual memory on the disk. They didn't think VirtualLock gives that guarantee.
And this is why the bank says you can only create a password with alphanumeric characters. Despite the huge advances of UTF-8 adoption there are still large numbers of systems out there where you can't reliably use anything other than A-Z and 0-9 as input.
Half the time a bank doing that is also reducing everything to a numeric pin and/or strictly limiting its length. Banks, on average, are a very bad model for password security.
That’s undoubtedly true, but brut force password cracking is something that banks have a relatively easy time of detecting and defeating, so one could argue that the length/char limitations are not as big a problem. I’m far more concerned that many banks (at least in the US) still only offer SMS as a second factor, or even worse, use those horrible “security questions” and call that two-factor authentication.
I guess mine isn't too bad, it allows a decent length and complexity, the only requirement is that it has to start with three digits because of their old telephone-based system where you can call and check your account balance, protected by a three-digits PIN. You can't do any transactions from it though.
Emoji might be weird symbols, still, although I make no estimation how they'll be perceived 100 years from now. Whereas Chinese, Hindi, Japanese, Cyrillic characters are not weird. There should be some reasonable subset of UTF8 supported/supportable for passphrases. The kinds of characters routinely seen printed in newspapers of record around the world.
No I get that forcing alphanumeric is a very arbitrary decision that is far from natural to a large part of the world's population and normally I would advocate for everyone to adopt Unicode.
However UTF8 passwords is a recipe for disaster that I want no part of. Passwords should be random byte strings, not a random piece of human language. Now technically alphanumeric isn't quite the same as a random byte-string but it is the one subset of text for which you can be almost certain that it will always be represented by the same bytes (although I suspect someone will point out an exception).
Note that not only does Unicode have several different binary representations, but even a sequence of code points has 4 different canonicalizations, that I cannot guarantee will always remain the same.
Once you venture out of ASCII, you will find that string comparisons are hard.
You'll need to get things into the right encoding (as the article states, UTF-16 is alive and well in some places, and there are two forms of that), and you'll probably need to do unicode normalization for some languages, because not every system will do that the same. But, normalization rules change over time, so you'll need to include the normalization used with the password processing code and storage.
For the Heroku CLI I used this in some node.js code:
sh -c "read -s PASS && echo $PASS"
I'm pretty sure it supports UTF-8 (only because I never heard otherwise. It does require Git to be installed on Windows for sh.exe but that was a prerequisite for our CLI anyways. Might be a good solution if you can't use the native APIs.
I'm surprised getpass(3) is marked as obsolete, it seems to be preferable to implementing the steps described for a unix-like system in the article yourself...
Maybe it's because it only reads up to PASS_MAX bytes, although glibc does not suffer from this limitation...
“I included emoji in my password and now I can’t log on to Yosemite”