The users of my application are asked to enter their password to start it. To get the password I simply use:
char c;
std::string password;
while ... // until the end of entry
{
c = fgetc(stdin);
password += c;
}
Once the password is checked I destroy the variable so it can't be retrieved using a core image of my program. For instance, if someone uses "gcore" command and then searches for the password in the core generated they will not find it.
But in my case, I can still retrieve the password value because it seems that it is still in the stdin buffer.
So my question is how can I clear stdin buffer to make the values typed by the user not available in memory anymore ?
I already tried: fflush, __fpurge, fwrite (from the beginning position of stdin stream)... and nothing seems to work.
My answer is: don't use stand I/O streams - use raw file I/O instead:
read(STDIN_FILENO, ...)
You'll have to do your own line buffering but you can guarantee that nothing in the libraries is keeping a buffer of your input.