1

I am a Java developer that is building an app where it needs to call a C# process from within. In my situation, the Java app is calling this C# program https://github.com/nddipiazza/SharepointOnlineCookieFetcher.

This C# program requires a password. It accepts a stdin password (masked using SecureInput) or it can take password as an environment variable.

I am wondering... in this situation... what is more secure and why?

1) Sending the password using the stdin?

or

2) Set the environment variable SPPWD=thepassword and call the program?

Nicholas DiPiazza
  • 149
  • 8

1 Answers1

1

Neither. Both ways of providing the password can be bypassed (rather trivially) in the same way (replacing the target executable with your own or checking the child process state at runtime).

Stephane
  • 18,557
  • 3
  • 61
  • 70
  • 1
    Created a follow-up that you might be able to answer https://security.stackexchange.com/questions/180391/how-to-securely-send-a-password-from-one-app-to-another-app – Nicholas DiPiazza Feb 23 '18 at 17:23