Maybe stating the obvious, but just in case, is you system can support any 
oauth2 authentication instead or ssh key? that would avoid the whole password 
in the first place. Maybe it doesn't meet your need at all, just making sure it 
was not overlook. Login/password are bad in an application in the first place. 
But some application still need those. Ignore if not applicable to you.
 
-----Original Message-----
From: Interest <interest-boun...@qt-project.org> On Behalf Of Jason H
Sent: September 5, 2019 9:31 AM
To: Alexander Ivash <elder...@gmail.com>
Cc: interestqt-project.org <interest@qt-project.org>
Subject: Re: [Interest] QML and sensitive data

> Is there any mechanism for cleanup sensitive data like passwords etc 
> from QML? This issue is that gc() doesn't seem to even nullify memory 
> (at least in release on Windows) so all the sensitive information 
> stays in memory.


My recommendation would be to use a library that has proper storage and 
management of such things. I have used the Crypto++ library ( 
https://www.cryptopp.com/ ) with Qt/QML. Its not a magic bullet and proper 
cryptography is hard. However, I think you can keep the string in C++ land, and 
encrypted. How? You have to not store the password ever. Assuming I understand 
your situation, if it were me reting to protect a password field, I would have 
something that looks and behaved like a InputText (or whatever) that sends the 
characters to the C++ side, so that the sensitive data never exists in QML, 
subject to gc(). Of course keylogging would be able to recover the password, 
but there is no single QML string that is 
"SuperSecretIn-MemoryPassword1234!@#$".

So:
1. Break it into non-contiguous parts
2. Do all crypto in C++
3. Have the UI mimic familiar paradigms but don't actually use them







_______________________________________________
Interest mailing list
Interest@qt-project.org
https://lists.qt-project.org/listinfo/interest
_______________________________________________
Interest mailing list
Interest@qt-project.org
https://lists.qt-project.org/listinfo/interest

Reply via email to