Well I had a minor hiccup today when I decided it was ‘password change day’. I duly went around changing the password on all my systems. Then I got back to work. 10 minutes later I turned to my other system and typed in the password.
… It didn’t work …
I smacked my head and said to myself “D’oh”, I need to use the new password. But I couldn’t remember all of it. All I had was a few characters I could remember and the fact that my mail program was checking the mail every few minutes and still working.
First I got the pid of thunderbird…
~% ps -fe | grep thunder 1000 17509 1 0 13:19 ? 00:00:00 /bin/sh /usr/bin/thunderbird 1000 17521 17509 0 13:19 ? 00:00:00 /bin/sh /usr/lib/thunderbird/run-mozilla.sh /usr/lib/thunderbird/thunderbird-bin 1000 17526 17521 0 13:19 ? 00:00:24 /usr/lib/thunderbird/thunderbird-bin 1000 19101 19006 0 14:09 pts/10 00:00:00 grep thunder
Then I got the address of the heap from the process’ maps
~% grep 'heap' /proc/17526/maps 08d02000-0a9ad000 rw-p 08d02000 00:00 0 [heap]
I compiled up memory_dumper, and ran it against the process and heap addresses listed.
% ./memory_dumper 08d02000 0a46a000 17526 heap
Then I ran strings on the resulting file, looking for the pattern that matched my remembered password
% strings heap | grep t%7 cheat%7Ladel cheat%7Ladel cheat%7Ladel cheat%7Ladel %
4 copies of the password in memory in the program. That is just in-freaking-sane. It should be present in the program only once, and should probably be concealed using some form of obfuscation. Mind you, it has kept the new password in my mind now, so I should be grateful.
And just in case you feel like trying the password listed, don’t. It’s not the real password 😉