Author Topic: Encrypted memory storage (Read 3912 times)

Miquel 'Fire' Burns · « **on:** September 21, 2005, 03:07:31 AM »

I know that when you choose to store the master password into memory, the program says the password is encrypted, but what about the value of the password field (which is always in memory when the dialog is open actually), do you happen to handle that at all?

Eric H. Jung · « **Reply #1 on:** September 21, 2005, 03:24:12 AM »

Internally in memory, the PasswordMaker Browser Extension stores the master password encrypted. However, whenever it must display the master password, the master password is decrypted. Unfortunately, there is no way around this. The PasswordMaker Browser Extension does its best to proactively clear sensitive memory after it is needed, but this is not fool-proof. If someone were to:

attach a debugger to the browser
core dump the browser
use another extension such as the Extension Developer's Extension to inspect runtime GUI values

and know where to look, he likely could find the master password (decrypted).

Just as there are no guarantees in life, the same is true with PasswordMaker :)

Let me know if you have other questions,
Eric

PasswordMaker Forums · « **Reply #1 on:** September 21, 2005, 03:24:12 AM »

PasswordMaker Forums

Author Topic: Encrypted memory storage (Read 3912 times)

Miquel 'Fire' Burns

Encrypted memory storage

Eric H. Jung

Encrypted memory storage

PasswordMaker Forums

Encrypted memory storage