Textbox to SecureString?

Question

User463812309 posted

Hello,

I'm creating a replacement for Microsoft's iisadmpwd password change facility which allows our users to change their domain passwords when not on a domain joined PC.

I have 5 textboxes:

Domain
User
Old Password
New Password
New Password2

I am converting the contents of the password text boxes to secure strings before sending to AD, but I'd prefer that when users enter data into the text boxes it's appended to a secure string automatically.

I see various solutions for Windows Forms such as http://weblogs.asp.net/pglavich/Secure-TextBox-Updated but I cannot find one for Web Forms.

Is there any such control?

Thanks

Karl

Answer 1

User-782232518 posted

Can you pause for a while to think about the design of ASP.NET (or a web page in general)?

Users open a web browser and type the password in a web page there. Then an HTTP POST sends the data to the server side (ASP.NET on IIS). It is completely different from WinForms where all things happen on the same machine. You need to find other ways to secure the password. 

Answer 2

User347430248 posted

Hi Karl,

Generally SecureString is used for the client side applications.

and for web form applications people generally use Form Authentication and SSl. so if you have options to try a new thing you can try to implement that in your code.

then also if SecureString is only the option that you want to use then please visit the link below for getting information regarding SecureString and method to append data.

SecureString Class

in the link below you will find a discussion regarding using securestring in Asp.net.

Is there any benefit to using SecureString in ASP.NET?

Regards

Deepak

Answer 3

User463812309 posted

I guess I should have mentioned that the application uses SSL from the client to the page.

I read the stack overflow discussion already - I am following the "transferring authentication credentials from one system to another." reasoning to use secure strings to send the data to AD, which is working well.

I believe I already mentioned that I am using secure strings, and copying the data from the text boxes to the secure strings, so I don't need a refresher on appending the data to secure strings :)

My only goal here is to attempt to prevent the data from remaining in memory on the server.

Karl

Answer 4

User463812309 posted

Maybe I am over worrying here.

There are 5 servers running Server 2012 R2 which only 3 people have any real reason to ever login to - for installing patches.

So, the real odds of someone capturing the memory of the server should be pretty small?

Plus, they'd have to capture the memory of all 5 to have any kind of chance to capture a password.

Not to mention that this page will probably not get accessed much.

I'm just surprised there is not a textbox control that can append to a securestring and delete each character as it's entered.

Karl

Answer 5

User347430248 posted

Hi Karl,

is your issue solved?

if your issue is solved. would you like to share the solution?

if your issue is not solved till now then please let me know so that I can try to give you further suggestions to solve your issue.

Regards

Deepak

Answer 6

User534538018 posted

Hello,

My issue is not resolved.

Karl

Answer 7

User347430248 posted

Hi Karl,

I try to find related to your issue.

but I did not find any exact solution for that.

I find Web parts to make web page secure.

Because Web Parts is a feature of ASP.NET, and Web Parts controls are extended ASP.NET server controls, Web Parts pages are susceptible to all the same risks as ASP.NET pages. A Web application with pages that use Web Parts controls is really just a specialized type of ASP.NET application, and an application that uses Web Parts can run in any trust level that an ordinary ASP.NET application can. For general information about ASP.NET Web site security, see ASP.NET Security. However, Web Parts has some unique security issues that normal ASP.NET pages do not have. These issues are discussed in the following sections.

Reference:

Securing Web Parts Pages

Regards

Deepak