read-passwd: no longer as secure?

read-passwd: no longer as secure?

[T.V. Raman]

Spotted this because after a recent git update, I started hearing
passwords as I typed in Emacspeak.

The move to reimplementing read-passwd using read-string appears
to no longer set  echo-keystrokes -- but is relying on setting
the display property of the char that is displayed to ?. ---
though this hides on  the display it is still available to most
lisp code.

I can update emacspeak so it doesn't speak the chars --- but I
still feel somewhat uneasy about the read-passwd implementation
---
-- 

--

Re: read-passwd: no longer as secure?

[Stefan Monnier]

> though this hides on the display it is still available to most
> lisp code.

As it was in the previous implementation (in the `pass' variable).
Hiding information is pretty contrary to the design of Emacs and Elisp.

> I can update emacspeak so it doesn't speak the chars --- but I
> still feel somewhat uneasy about the read-passwd implementation

The new implementation is a lot more flexible, so going back is not on
the agenda.  But if it can be changed to cooperate better with tools
like Emacsspeak, I'd be happy to do so.


        Stefan

read-passwd: no longer as secure?

[T.V. Raman]

I've fixed emacspeakkk  so it doesn't echo the passwd as the user
types -- though it is still possible to hear the password if
the  user wishes    -- so I guess it alligns with the rest of
Emacs;-)  A aaagree with you that hiding information  in the
elisp world -- and  I wasn't necessssarily asking toooo go back
to the old version; however, when  I saw the change, I justt felt unnneasy.
-- 
Best Regards,
--raman

-- 
Best Regards,
--raman


On 4/23/12, Stefan Monnier <monnier@iro.umontreal.ca> wrote:
>> though this hides on the display it is still available to most
>> lisp code.
>
> As it was in the previous implementation (in the `pass' variable).
> Hiding information is pretty contrary to the design of Emacs and Elisp.
>
>> I can update emacspeak so it doesn't speak the chars --- but I
>> still feel somewhat uneasy about the read-passwd implementation
>
> The new implementation is a lot more flexible, so going back is not on
> the agenda.  But if it can be changed to cooperate better with tools
> like Emacsspeak, I'd be happy to do so.
>
>
>         Stefan
>

Re: read-passwd: no longer as secure?

[Ted Zlatanov]

On Mon, 23 Apr 2012 20:53:04 -0400 Stefan Monnier <monnier@iro.umontreal.ca> wrote: 

>> though this hides on the display it is still available to most
>> lisp code.

SM> As it was in the previous implementation (in the `pass' variable).
SM> Hiding information is pretty contrary to the design of Emacs and Elisp.

I've mentioned before that it would be useful to have a way to hide
passwords and other secret data.

Currently the best way to do it in ELisp is with a lexical-let closure
that decrypts when you invoke it, AFAIK.  At least the data is not in
the open.  But it would be nice to have a way to securely reserve and
then wipe a string, or perhaps a pass-through method that decrypts
straight into the process rather than into a string.  I'd use it in
auth-source.el, for instance.

Ted