Python's garbage collector does not immediately wipe strings from RAM.
Risk: pass and plaintext_bytes stay in memory until the OS reclaims them. A memory dump of PC could reveal the password in plain text.
Fix: Since cryptography.hazmat is being used, consider using bytearray for passwords and zeroing them out (e.g., pw_bytes[:] = b'\x00' * len(pw_bytes)) immediately after derive_key is called.
Python's garbage collector does not immediately wipe strings from RAM.
Risk: pass and plaintext_bytes stay in memory until the OS reclaims them. A memory dump of PC could reveal the password in plain text.
Fix: Since cryptography.hazmat is being used, consider using bytearray for passwords and zeroing them out (e.g., pw_bytes[:] = b'\x00' * len(pw_bytes)) immediately after derive_key is called.