• caglararli@hotmail.com
  • 05386281520

Coding language + libs + gui suggested to ensure secure strings for password manager

Çağlar Arlı      -    31 Views

Coding language + libs + gui suggested to ensure secure strings for password manager

I decided to code my own password manager. There are similar posts to this, but with less specific (or not fully covered) answers/requests.

Seeing how popular OSes are coded bloated with little security in mind I want to at least minimize the risk.

Initially wanted it in python3 but since it does not allow to manage memory and clear the password string after being used I'm considering to switch to any language+gui library that satisfies my expectations (clear all variables copies + cross-platform):

  • allows to overwrite the orig variable with password string (C/C++ allows that)

  • string-secure gui library? that ensures I can clear the password from gui elements? gui can have its own copies of password variable that may be inaccessible for me to overwrite after I placed it on a gui so there must be most likely gui methods for that or gui using reference to a variable and not making any copies at all...

  • alternatively (not the best solution though) I was thinking there could be a 2nd app using system calls to overwrite memory after the app is closed; that would require running such app indicating mem to overwrite and must work on Windows/Linux/Android

  • I want my app to be possible to compile on Windows/Linux/Android without rewriting most of the code (eg gui)

  • I'm thinking of switching to C++ if there is set of tools/libraries that will allow me to port it with gui to Android and keep all safe.

My goal is to have 3 layers of encryption with 3 different libraries (and encryption methods) and 3 different passwords. Again this one I can already find in C/C++. This will satisfy my paranoid requirement to allow such encrypted file on a cloud - assuming at least single library/encryption is not corrupted.

Also I want my passwords to be cleared from memory after sometime after decryption (eg. 60 seconds) to minimize OS exposure risk.

All in all I want to cover:

  1. risk of having decrypted password in memory
  2. risk of gui keeping a copy of decrypted passwords that is not accessible to overwrite
  3. risk of exposing the cloud file by having 3 independent layers of encryption.
  4. multiple devices sharing password library using cloud drive

Any suggestion as to what is the easiest way to test that memory was cleared on Windows/Linux/Android is welcome. On Windows there was cheatengine, but maybe there's even something better today?

If I decide to do a simple terminal UI my questions are:

  • which kind of terminals are best for clearing memory
  • how to make sure not only the "visible" terminal memory was "cleared" (eg history), but also it was overwritten in RAM?