Usage - Passing password in command line call

P-H-C / phc-winner-argon2

The password hash Argon2, winner of PHC

Other

4.78k stars 406 forks source link

Usage - Passing password in command line call #323

Open 8f0d4015198521d2c2b191eabf opened 3 years ago

8f0d4015198521d2c2b191eabf commented 3 years ago

Why is in the demonstrated usage, the password is passed in the command line?

echo "pwd"|./argon2 saltsalt

The command (and password) is now visible by entering the history command in the terminal.

How can I use the executable without this problem? If I just enter ./argon2 saltsalt and then enter the password, the program halts.

I would expect the program to allow me to enter the password without echoing back to terminal.

ufukty commented 3 years ago

Is it good enough to be the example? It is not clear tho.

read -p "Enter password: " -s my_password
echo -n "$my_password" | ./argon2 saltsalt
unset my_password

And we can't use cat, it prints new-line at the end even if it is not in the file.

8f0d4015198521d2c2b191eabf commented 3 years ago

I'm not sure, why not just read from the C program itself with echo disabled?

https://stackoverflow.com/a/59923166/6382242

8f0d4015198521d2c2b191eabf commented 3 years ago

Setting the environment variable may allow it to be read by other processes on the system. Also, since Argon2 is meant to be slow, that environment variable will be set for a decent amount of time (plenty of time for another process to access it).