Do password managers leak information with swap memory?
As I've already pointed out in my previous comment, this attack has been foreseen and already countered (by most cryptography using applications).
The way you do this is, you (the developer) tell the operating system (OS) not to swap out this particular section of the memory. The OS will usually honor that and "make a note" somewhere in the memory manager not to swap this out. However even this marked area may get swapped out (if too much data is declared "unswappable" or a kernel-mode program needs "too much" memory) so it's better than doing nothing (and letting it be unswappable) but still not perfect and tells you not to flag everything unswappable.
As you're concerned about swapping out secret data to disk you may also be concerned about the hibernation state many OSs offer, where you actually write the full current RAM to disk so you can boot up faster at a later point and can resume your work. This attack scenario is less commonly considered but should be countered by careful treatment (-> erase all cleartext keys / passwords on hibernation / shutdown) and appropriate data encryption.
As asked in the comments to the other question I'll also quickly provide (some) overview of where to check if the used (open-source) program is vulnerable.
Windows: You need to inspect the memory (password managing) portion of the code and specifically look for VirtualLock()
and VirtualUnlock
Unix-like systems: Inspect the same portion of the code as for Windows but now look out for mlock()
and munlock()
. Also look for mlockall()
at any time in the code as this globally locks the memory into RAM.