Passwords - In Memory Still Green

Paladion
By Paladion

August 15, 2004

Passwords are the keys to applications. Any user will want to protect his/her password from others, especially attackers. That is a good practice, but is not enough.

Passwords are the keys to applications. Any user will want to protect his/her password from others, especially attackers. That is a good practice, but is not enough. Applications also need to protect these important pieces of information. This is the reason why a lot of applications use various cryptographic techniques to encrypt passwords while storing and transmitting them. However, passwords can still get stolen from an unlikely place.

The Residues of Encryption

Let's take the case of a web application. Browsers connect to the web server, which in turn connects to the database server. Let's suppose the user passwords are stored encrypted in the database and the password entered by the user on the client is hashed by a java script before sending it to the server over SSL. That looks like a secure application with no threat to user passwords, doesn't it? Let's take a closer look at how the authentication happens.

The user types in the password in the login form and submits it. This password is written into a variable in the memory of the browser. A client side script embedded in the html hashes it and puts the secure hash value into another variable in the memory. This new value is then sent to the server to be authenticated. So the application has securely hashed the password but has forgotten about the plain text password in the browser memory. This will remain in the memory till the browser window is closed. If the user does not close the window, even after logging out, an attacker can use a memory reading tool to retrieve this password.

This happens not only in the case of web application but in a number of other places too. Let's see how the application connects to the database in the same setup discussed above. When the application initializes, the information needed to connect to the database are loaded into the memory. These include the connection string, the username and password. These values stay in the memory till the application exits. Access to the system and a memory reading tool is all an attacker will need to retrieve the password.

The same problem exists in a number of other places: chat software, email clients and even SSL enabled html pages. Administrator passwords of applications can also be stolen from the memory. And this problem is already more widespread than one would expect.

The Solution

The SolutionAlong with password encryption, we should take care not to leave the plain text password in the memory. This can be done by remembering to overwrite or reset the memory location that contains the password soon after encryption. We can either overwrite it with some other value or set it zero. The Microsoft SDK provides a SecureZeroMemory function which when passed a block of memory will fill it with zeroes.


Tags: Technical

About

Paladion