PuTTY fixes password leak

An update just has been released: version 0.62

PuTTY 0.59 to 0.61 inclusive had a bug in which they failed to wipe from memory the replies typed by the user during keyboard-interactive authentication. Since most modern SSH-2 servers use the keyboard-interactive method for password logins (rather than SSH-2’s dedicated password method), this meant that those versions of PuTTY would store your login password in memory for as long as they were running.

PuTTY 0.62 fixes this bug. Keyboard-interactive responses, including passwords, are now correctly wiped from PuTTY’s memory again.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.