[Date Prev][Date Next][Thread Prev][Thread Next]
[Date Index]
[Thread Index]
- Subject: Re: Avoiding having sensitive strings interned
- From: Michael Savage <mikejsavage@...>
- Date: Wed, 7 Nov 2012 19:31:35 +0000
On Wed, Nov 07, 2012 at 04:24:11PM -0200, Luiz Henrique de Figueiredo wrote:
> > I'm working on a web framework for Lua and I want to implement some sort of
> > functionality that allows passwords to be verified without them ever
> > actually being used in Lua, so they aren't interned then forever stored in
> > memory.
>
> Store a digest of each password instead of the password itself.
> Send passwords to Lua as numbers (ie the raw bytes).
> In Lua convert each byte to a single-char string and update a digest.
> At the end compare the computed digest with the stored digest.
> My md5 library supports several digests and supports updates.
I am using bcrypt which doesn't support incremental hashing, however
automatically hashing marked fields (fields whose name begins with a dot
etc) is neat and doable, since getting POST values from libevent needs
some C intervention anyway.
Thanks!
Mike
