none
SecureString from TextBox.Text

    Question

  • I'm looking to implement a secure string.

    The users will enter the details into a text box and at the point of login I was going to convert this to a secure string.

    Some sample code i have managed to find...

    public static SecureString ConvertToSecureString(this string password)
    {
        if (password == null)
            throw new ArgumentNullException("password");
    
        unsafe
        {
            fixed (char* passwordChars = password)
            {
                var securePassword = new SecureString(passwordChars, password.Length);
                securePassword.MakeReadOnly();
                return securePassword;
            }
        }
    }

    and if I was to call the method

    ConvertToSecureString(TextBox1.Text);

    Is this secure. My concerns are...

    Is the Textbox1.Text still going to be represented in memory somewhere? and for how long?

    Would passing TextBox1.Text to the method just not create the string data in memory anyway? and for how long?

    Thanks

    Friday, July 11, 2014 11:14 AM

Answers

  • Even when the GC has run, the string still be in memory until those memory addresses are re-used. The GC does not zero the memory it frees.

    There are severe limits to how secure you can make your application if you admit the bad guys can run abritrary processess on the same machine. They could just hook into the keyboard handlers and capture what the user typed, which would require significantly less technical skills than rumaging around in another process's memory.

    • Marked as answer by TonyS81 Friday, July 11, 2014 1:31 PM
    Friday, July 11, 2014 1:01 PM
  • Yes, the data will be stored in the memory and is therefore possible to read for someone with access on the machine. The data will be removed when the garbage collector runs which is handled by the .net framework. You can force the garbage collector to run manually, but that has implications and you will have to read up on it before taking a decision to do so so that you properly understands what it does and what might happen.

    But still, if someone had access on the machine, and really wanted to get that information, they would. You cannot stop it since all the information at some point has to reside within the computers memory. Is it really worth it to try and minimize it? Don't overoptimize your code. "Good enough" might be just that sometimes.

    • Marked as answer by TonyS81 Friday, July 11, 2014 1:31 PM
    Friday, July 11, 2014 11:48 AM
    • Marked as answer by TonyS81 Friday, July 11, 2014 1:31 PM
    Friday, July 11, 2014 11:50 AM

All replies

  • Yes, the data will be stored in the memory and is therefore possible to read for someone with access on the machine. The data will be removed when the garbage collector runs which is handled by the .net framework. You can force the garbage collector to run manually, but that has implications and you will have to read up on it before taking a decision to do so so that you properly understands what it does and what might happen.

    But still, if someone had access on the machine, and really wanted to get that information, they would. You cannot stop it since all the information at some point has to reside within the computers memory. Is it really worth it to try and minimize it? Don't overoptimize your code. "Good enough" might be just that sometimes.

    • Marked as answer by TonyS81 Friday, July 11, 2014 1:31 PM
    Friday, July 11, 2014 11:48 AM
    • Marked as answer by TonyS81 Friday, July 11, 2014 1:31 PM
    Friday, July 11, 2014 11:50 AM
  • Even when the GC has run, the string still be in memory until those memory addresses are re-used. The GC does not zero the memory it frees.

    There are severe limits to how secure you can make your application if you admit the bad guys can run abritrary processess on the same machine. They could just hook into the keyboard handlers and capture what the user typed, which would require significantly less technical skills than rumaging around in another process's memory.

    • Marked as answer by TonyS81 Friday, July 11, 2014 1:31 PM
    Friday, July 11, 2014 1:01 PM
  • Many thanks to you all.

    I had a feeling that if someone else had access to the machine (another administrator or attacker) it would for the most part be "at Risk" as I had run a "memory peek application" this morning and found my keyword with a search.

    I suspect as Nick suggested, this in practice is a little harder to do, especially if you don't know what you are looking for, and other methods of key capture would be employed.

    Thanks again

    Tony

    Friday, July 11, 2014 1:36 PM
  • Even when the GC has run, the string still be in memory until those memory addresses are re-used. The GC does not zero the memory it frees

    Just to continue, it's actually the programmer job to zero out the array of characters.

    The whole point of using SecureString is to allow you to store the string securely outside to the managed space and instead of using strings which are also interned you need to use array of characters right from the start to the end for it be more secure for a certain period of time.

    So when you store it you need to do two things a) Add the array of characters to SecureString. b) zero out all the characters. and finally dispose SecureString when you're done.

    So to your question the sample code is insecure as you need to pass the password in plain string  and the CLR is interning the string which makes it quite easy to query the application for the password(s).


    Regards, Eyal Shilony

    Friday, July 11, 2014 3:47 PM
    Moderator