Effacer les filtres
Effacer les filtres

Login GUI security issue.

5 vues (au cours des 30 derniers jours)
buer
buer le 19 Mar 2015
Commenté : Sean de Wolski le 19 Mar 2015
Hi,
I am using one api from http://www.mathworks.com/matlabcentral/fileexchange/8499-login. Then I need to pass the username and password to my HTTP server. So my question is that is this safe to use this for login? Where those parameters are saved during processing? I can not see them in workspace, does it mean they do not exist at all? I just want to make sure the information will not leak in any case. thanks.
  1 commentaire
buer
buer le 19 Mar 2015
Anyone knows how to clear the username and password before saving anything so that no one can get a hold of your information? http://www.mathworks.com/matlabcentral/fileexchange/8499-login I need it to be secure....any helpe please

Connectez-vous pour commenter.

Réponse acceptée

Guillaume
Guillaume le 19 Mar 2015
I need it to be secure
That's kind of meaningless. Secure against what? NSA style spying? casual over the shoulder snooping? Who is the adversary?
As far as I know matlab does not make any claim as far as security goes, and does not offer any facility to make the storing of password secure, even temporarily.
The login GUI that you've linked also does not make any attempt to secure the password other than obscuring it in the dialog. In particular. the password is returned as plain text.
Matlab also stores it as plain text in memory and does not offer features to store in secure memory or scrub it afterward. So, a memory dump of the machine could reveal the password.
The password may not appear in the workspace at the end of your code, but it certainly was in the workspace of your function while it runs. Anybody with access to matlab could override a number of built-in functions to capture your password, or issue debugging commands to stop your program and see the value of the password. It is trivial to capture the workspace variables of any function.
In brief, If you do want security do not use matlab but use software dedicated to that and leave it to cryptography experts. Note: I am not an expert at all.
Also know that an attacker determined enough could just capture the password as you type it from the vibration of your keyboard transmitted to your desk, or could reconstruct the memory content of your computer even after it's been turned off.
  3 commentaires
Guillaume
Guillaume le 19 Mar 2015
If you use matlab as the user interface to prompt for the password or to transmit the password, then I believe that you cannot prevent a determined attacker from getting it from memory. At one point or another it will have to be stored in plain text in a function workspace.
I think the best course of action for you is to use that file exchange login gui that will prevent somebody shoulder surfing from seeing the password and accept that an attacker with access to your machine and enough determination can retrieve your password.
Any scheme that you could dream up to secure that password in matlab is bound to be full of holes and will only give you a false sense of security.
Sean de Wolski
Sean de Wolski le 19 Mar 2015
But finding those holes could be a fun question on Answers, Guillame!

Connectez-vous pour commenter.

Plus de réponses (0)

Catégories

En savoir plus sur Programming dans Help Center et File Exchange

Community Treasure Hunt

Find the treasures in MATLAB Central and discover how the community can help you!

Start Hunting!

Translated by