[prev in list] [next in list] [prev in thread] [next in thread] 

List:       kde-core-devel
Subject:    Re: KPasswordEdit and security
From:       Frans Englich <englich () kde ! org>
Date:       2007-01-01 12:45:19
Message-ID: 200701011345.19106.englich () kde ! org
[Download RAW message or body]

On Tuesday 26 December 2006 22:17, Albert Astals Cid wrote:
> Hi, KPasswordEdit is using a char * internally to store the password. There
> is a note in the header that says "I believe this is safer than a
> QString.". I'm not much into security but i would want some confirmation if
> it is safer to use a char* than a QString.
>
> I'm asking this because i want to fix bug 138997, a bug in KPasswordEdit
> (storing char * and some input method related things) makes it impossible
> to input passwords with non-ascii characters. One could fix that porting
> that internal char* to internal ushort*, but that's not trivial, and if
> there is no strong security reason i think we can just drop KPasswordEdit
> altogether for KDE4 and use QLineEdit.

Apart from the security discussions up til now("one can use QSecureArray or 
lock memory pages"), I think they step aside from what this thread brings up: 
that KPasswordEdit can't handle Unicode. I find that quite a severe bug.

So, perhaps a good start is to take Unicode support into account before 
looking at more sophisticated security measures(which I as well question 
whether it's doable globally in KDE and if it doesn't belong on the OS 
level).


Cheers,

		Frans
[prev in list] [next in list] [prev in thread] [next in thread]