0

I'm going to write a program that stores passwords and was wondering which language would be good for this. Do languages really have an inherent security? People speak as if they do, for example:

...Java’s dominance and resiliency of late, including hits to its security reputation...

and

... built with security in mind, so security features are one of Java’s advantages.

Are some languages better than other's for security? Do languages running on a VM have a layer of protection (such as Java, C#) compared to things like C/C++? I'm thinking how easy it would be for another program to read the contents of memory of another process.

northerner
  • 273
  • 1
  • 9
  • Reading contents of memory of another process is operating system security. So if you are running it on Windows you can use operating system to protect its memory from being read by running it from dedicated, restricted account, as the service for example. – Aria Apr 20 '17 at 10:22
  • There are multiple questions on this site asking very much the same thing. – schroeder Apr 20 '17 at 10:46
  • @schroeder then delete this one – northerner Apr 20 '17 at 11:59

1 Answers1

2

Different programming languages have different security properties, but I wouldn't go as far as saying Java is "more secure" than C#, for example.

Languages can for example differ in whether they are weakly typed or strongly typed. In a weakly typed language, you can compare a string with an int and the interpreter converts on to another. This can introduce some errors, for example if you try to compare the password hash 0e912893899. It turns out this is a valid number in scientific notation, and has value 0. So in PHP, for example, 0e123 equals 0e456.

Language implementations can also differ in quality. For example, PHP's base_convert function has a limited precision and it is a bad idea to use it on a secret token. However, there is nothing preventing PHP from fixing this, or from another PHP implementation to do this correctly.

Furthermore, languages can differ in their memory management. In C you can allocate 10 bytes of memory and then write 20 bytes into it, which is a security issue. This is not possible in most other languages.

Sjoerd
  • 28,707
  • 12
  • 74
  • 102