From f4b14c2e1c43235f82b4d07272ecfaf46897c289 Mon Sep 17 00:00:00 2001
From: GGP1 <ggpalomeque@gmail.com>
Date: Sat, 25 Feb 2023 23:25:15 -0300
Subject: [PATCH] Wipe sensitive data after its use

---
 passphrase.go | 12 +++++++++++-
 password.go   |  8 +++++++-
 2 files changed, 18 insertions(+), 2 deletions(-)

diff --git a/passphrase.go b/passphrase.go
index e15aca9..601ef2b 100644
--- a/passphrase.go
+++ b/passphrase.go
@@ -5,6 +5,7 @@ import (
 	"errors"
 	"fmt"
 	"math"
+	"runtime"
 	"unicode/utf8"
 )
 
@@ -87,7 +88,16 @@ func (p *Passphrase) generate() ([]byte, error) {
 		p.excludeWords()
 	}
 
-	return bytes.Join(p.words, []byte(p.Separator)), nil
+	passphrase := bytes.Join(p.words, []byte(p.Separator))
+	// Wipe sensitive data
+	for i := range p.words {
+		for j := range p.words[i] {
+			p.words[i][j] = 0
+		}
+	}
+	// Keep buf alive so preceding loop is not optimized out
+	runtime.KeepAlive(p.words)
+	return passphrase, nil
 }
 
 func (p *Passphrase) validateParams() error {
diff --git a/password.go b/password.go
index bfe803a..ef0bca8 100644
--- a/password.go
+++ b/password.go
@@ -5,6 +5,7 @@ import (
 	"errors"
 	"fmt"
 	"math"
+	"runtime"
 	"strings"
 )
 
@@ -69,7 +70,12 @@ func (p *Password) generate() ([]byte, error) {
 
 	password := p.buildPassword()
 	password = p.sanitize(password)
-
+	// Wipe sensitive data
+	for i := range p.pool {
+		p.pool[i] = 0
+	}
+	// Keep buf alive so preceding loop is not optimized out
+	runtime.KeepAlive(p.pool)
 	return password, nil
 }