Tip To Developers … Avoid Using Immutable Types for Passwords and Sensitive User Data

Here is a discussion with a developer on their code …

“Why have you stored the passwords as string?”, “Passwords are just strings. What’s the problem?”, “Well, strings are immutable objects”. “But I allocate a null string after I use it, so it’s okay!”, “But that doesn’t actually erase it from memory”. “Yes, it does”, “No, it doesn’t”. Etc.

Mutable and immutable

Our software world has moved to use objects, and these objects can be mutable or immutable. In Python, the predefined types such as int, float, bool, and str are immutable, whereas user-defined classes which are defined as mutable. When an object is created it is assigned a unique object identifier and is defined by a given type. There are then no changes allowed for an immutable object, but a mutable object can have its state changed.

In Python, we can determine the memory location of an object by using the id() function. In the following, we allocate two strings, and then determine their memory location:

The result looks rather strange, as when str1 is not equal to str2, they are stored at different memory locations, but they are stored at the same place they are equal:

The pre-defined mutable objects are list, dict, set and byte array. Now if we try a list object:

We now see that the memory locations are different and that the objects are not the same (even though they have the same values):

The key factor of immutable objects is that they cannot be changed once they have been created whereas mutable objects can change both their state or contents. A mutable object is thus a real thing in memory, and we can allocate other objects to the target object. We can see this in the following:

and where both list1 and list3 will change when we allocate a new value to the first element of list3:

Whereas if we do this for immutable objects:

and which gives:

Passwords, keys and sensitive data

And so the problem with using passwords, encryption keys, and other sensitive data is that we can’t actually erase the memory that has been allocated to an immutable object. Once it has been allocated, we must wait for the garbage collector to come along and — hopefully — erase the password from memory. But if we use a byte array we can easily erase the contents of the object:

And a run shows that we have erased the memory for the password object:

Conclusions

In secure code, never use immutable objects to store sensitive data. If possible, you should use byte arrays or lists, as these can be easily erased after use. If your development team is thus processing sensitive information, and do not know the difference between immutable and mutable objects, you might want to send them on a training course.

ASecuritySite: When Bob Met Alice

This publication brings together interesting articles…

Prof Bill Buchanan OBE

Written by

Professor of Cryptography. Serial innovator. Believer in fairness, justice & freedom. EU Citizen. Auld Reekie native. Old World Breaker. New World Creator.

ASecuritySite: When Bob Met Alice

This publication brings together interesting articles related to cyber security.

Prof Bill Buchanan OBE

Written by

Professor of Cryptography. Serial innovator. Believer in fairness, justice & freedom. EU Citizen. Auld Reekie native. Old World Breaker. New World Creator.

ASecuritySite: When Bob Met Alice

This publication brings together interesting articles related to cyber security.

Medium is an open platform where 170 million readers come to find insightful and dynamic thinking. Here, expert and undiscovered voices alike dive into the heart of any topic and bring new ideas to the surface. Learn more

Follow the writers, publications, and topics that matter to you, and you’ll see them on your homepage and in your inbox. Explore

If you have a story to tell, knowledge to share, or a perspective to offer — welcome home. It’s easy and free to post your thinking on any topic. Write on Medium

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store