在python中将数据标记为敏感 [英] Mark data as sensitive in python

问题描述

我需要在内存中短时间存储用户密码.我该怎么做却又不会在核心转储或回溯中意外泄露此类信息?有没有一种方法可以将值标记为敏感"，以便调试器不会将其保存在任何地方?

I need to store a user's password for a short period of time in memory. How can I do so yet not have such information accidentally disclosed in coredumps or tracebacks? Is there a way to mark a value as "sensitive", so it's not saved anywhere by a debugger?

推荐答案

编辑

我提出了一个使用ctypes(反过来使用C)将内存归零的解决方案.

I have made a solution that uses ctypes (which in turn uses C) to zero memory.

import sys
import ctypes

def zerome(string):
    location = id(string) + 20
    size     = sys.getsizeof(string) - 20

    memset =  ctypes.cdll.msvcrt.memset
    # For Linux, use the following. Change the 6 to whatever it is on your computer.
    # memset =  ctypes.CDLL("libc.so.6").memset

    print "Clearing 0x%08x size %i bytes" % (location, size)

    memset(location, 0, size)

我不保证此代码的安全性.经过测试，可以在x86和CPython 2.6.2上运行.更长的文章是

I make no guarantees of the safety of this code. It is tested to work on x86 and CPython 2.6.2. A longer writeup is here.

在Python中解密和加密将不起作用.字符串和整数是固定且持久的，这意味着您到处都留下一堆密码信息.

Decrypting and encrypting in Python will not work. Strings and Integers are interned and persistent, which means you are leaving a mess of password information all over the place.

散列是标准答案，尽管当然最终需要在某个地方处理明文.

Hashing is the standard answer, though of course the plaintext eventually needs to be processed somewhere.

正确的解决方案是将敏感进程作为C模块进行.

The correct solution is to do the sensitive processes as a C module.

但是，如果您的内存不断受到损害，我会重新考虑您的安全设置.

But if your memory is constantly being compromised, I would rethink your security setup.

这篇关于在python中将数据标记为敏感的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！