locked
Does anyone use SecureString in web applications? RRS feed

  • Question

  • User320513238 posted

    I am currently writing an Authentication Server and have gone back and forth on whether or not to use a SecureString vs a regular String for the password while in memory.  Where I am well aware that you want to keep sensitive data out of memory, as it can be copied and written to the hard drive swap file, it seems almost useless to use.  Let me explain. 

    You have you web application that collects the username and password, then passes that on to our WebApi.  Once received, the WebApi has to run it's validation logic against the password; as part of this validation logic, I must check to see if the provided password matches the stored password.  Obviously the stored one will be a hash of some sort, however, I must get access to the actual string in order to transform it into the hash.  At that point, we're back to square one.  The password is now in memory, which I can't clear as C# is a managed language.  In this particular scenario, at least you can say that you've reduced the amount of time that the regular string has lived in memory so there could be less copies of it around.  However, there are other scenarios, like creating and changing your password, where the regular string would be in memory for a lot longer.

    What I'm curious to know is if anyone is using SecureStrings for their passwords and, if so, what advice/recommendations can you provide?  Is reducing the amount of time the string resides in memory the best that we can do in C#?

    Thanks.

    Sunday, February 24, 2019 4:40 AM

Answers

  • User-1174608757 posted

    Hi da.3vil.coder,

    In fact , compared with Regular string, SecureString has a most fundamental advantage that user could  delete it from computer memory when no longer needed.

    However when you use it  in Web application, if anyone except who has the administrator privileges  has the way to get the message in your memory  on server  it is no use to SecureString. Furthermore ,he  has no need to get the SecureString because he could totally  get sensitive information by intercepting http request.Of course, firewall has provided security system for your memory.

    So even if it has little meaning for security,it is also has protection  for your password,  SecureStrings are the first step in solving a Chicken-and-Egg problem, so even though most current scenarios require converting them back into regular strings to make any use of them at all, their existence in the framework now means better support for them in the future  at least to a point where your program doesn't have to be the weak link.

    Here is some link you could learn ,I hope it could help you.

    https://stackoverflow.com/questions/141203/when-would-i-need-a-securestring-in-net

    https://stackoverflow.com/questions/4463821/is-there-any-benefit-to-using-securestring-in-asp-net

    Best Regards

    Wei Zhang 

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Monday, February 25, 2019 8:07 AM

All replies

  • User-1174608757 posted

    Hi da.3vil.coder,

    In fact , compared with Regular string, SecureString has a most fundamental advantage that user could  delete it from computer memory when no longer needed.

    However when you use it  in Web application, if anyone except who has the administrator privileges  has the way to get the message in your memory  on server  it is no use to SecureString. Furthermore ,he  has no need to get the SecureString because he could totally  get sensitive information by intercepting http request.Of course, firewall has provided security system for your memory.

    So even if it has little meaning for security,it is also has protection  for your password,  SecureStrings are the first step in solving a Chicken-and-Egg problem, so even though most current scenarios require converting them back into regular strings to make any use of them at all, their existence in the framework now means better support for them in the future  at least to a point where your program doesn't have to be the weak link.

    Here is some link you could learn ,I hope it could help you.

    https://stackoverflow.com/questions/141203/when-would-i-need-a-securestring-in-net

    https://stackoverflow.com/questions/4463821/is-there-any-benefit-to-using-securestring-in-asp-net

    Best Regards

    Wei Zhang 

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Monday, February 25, 2019 8:07 AM
  • User320513238 posted

    Wei,

    That you for the response; it reaffirms the conversations I've been having with other colleagues on the subject.   What they have told me is that SecureString is, mainly, for client side applications and for times when you're holding sensitive information to send to a third party.  They too made reference to security on the server being the primary factor and that if someone has physical access, then a SecureString won't stop them.

    Monday, February 25, 2019 1:55 PM