after recents passwd(1) changes, We should use explicit_bzero(3) for clearing these sensitive strings. OK?
Index: local_passwd.c =================================================================== RCS file: /cvs/src/usr.bin/passwd/local_passwd.c,v retrieving revision 1.50 diff -u -p -r1.50 local_passwd.c --- local_passwd.c 31 Aug 2016 12:41:19 -0000 1.50 +++ local_passwd.c 31 Aug 2016 14:17:40 -0000 @@ -174,8 +174,10 @@ getnewpasswd(struct passwd *pw, login_ca } if (crypt_checkpass(p, pw->pw_passwd) != 0) { errno = EACCES; + explicit_bzero(oldpass, sizeof(oldpass)); pw_error(NULL, 1, 1); } + explicit_bzero(oldpass, sizeof(oldpass)); } } @@ -204,6 +206,7 @@ getnewpasswd(struct passwd *pw, login_ca if (p != NULL && strcmp(newpass, p) == 0) break; (void)printf("Mismatch; try again, EOF to quit.\n"); + explicit_bzero(newpass, sizeof(newpass)); } (void)signal(SIGINT, saveint); @@ -212,8 +215,10 @@ getnewpasswd(struct passwd *pw, login_ca pref = login_getcapstr(lc, "localcipher", NULL, NULL); if (crypt_newhash(newpass, pref, hash, sizeof(hash)) != 0) { (void)printf("Couldn't generate hash.\n"); + explicit_bzero(newpass, sizeof(newpass)); pw_error(NULL, 0, 0); } + explicit_bzero(newpass, sizeof(newpass)); free(pref); return hash; }