Menu
I've read that the password in a WPF PasswordBox does not have a dependency property for binding the password for security reasons. Despite this, there are ways to bind it anyway.
Users of the MVVM pattern require this databinding; the viewmodel cannot touch the PasswordBox directly without breaking the pattern. One way to work with PasswordBoxes in an MVVM setting is to pass the entire PasswordBox control to the ViewModel, but this breaks the pattern anyway. Binding the Password is probably the cleanest way to work with passwords using MVVM.
There is an argument against binding the Password since this would keep the plaintext password in unencrypted memory until it gets garbage collected. The way I see it, however, is that the password gets stored in unencrypted memory anyway from the moment you access the Password property. This view (or similar) seems to be seconded in this question. Of course it would be in memory for a shorter period without binding (not that login forms have a tendency of being long-lived anyway), but the risk is still there.
Given these arguments, is it really a bad idea to bind the password? And why?
511
In the view model: public string Username { get; set; } public ICommand LoginCommand { get { return new RelayCommand<IWrappedParameter<string>>(password => { Login(Username, password); }); } } private void Login(string username, string password) { // Perform login here... }
To create a password text boxSet the PasswordChar property of the TextBox control to a specific character. The PasswordChar property specifies the character displayed in the text box. For example, if you want asterisks displayed in the password box, specify * for the PasswordChar property in the Properties window.
Using tools like WPF Inspector or Snoop you can spy the password string. An alternative to passing the PasswordBox to the view-model is to attach a Behavior<UIElement> object to your PasswordBox object like below:
public sealed class PasswordBoxBehavior : Behavior<UIElement>
{
protected override void OnAttached()
{
base.OnAttached();
AssociatedObject.LostKeyboardFocus += AssociatedObjectLostKeyboardFocus;
}
protected override void OnDetaching()
{
AssociatedObject.LostKeyboardFocus -= AssociatedObjectLostKeyboardFocus;
base.OnDetaching();
}
void AssociatedObjectLostKeyboardFocus(object sender, KeyboardFocusChangedEventArgs e)
{
var associatedPasswordBox = AssociatedObject as PasswordBox;
if (associatedPasswordBox != null)
{
// Set your view-model's Password property here
}
}
}
and the XAML code:
<Window ...
xmlns:i="clr-namespace:System.Windows.Interactivity;assembly=System.Windows.Interactivity">
...
<PasswordBox ....>
<i:Interaction.Behaviors>
<local:PasswordBoxBehavior />
</i:Interaction.Behaviors>
</PasswordBox>
...
</Window>
Not binding the password box thinking snooping it will not yield the results is not wise to think!.
Passwordbox.Password will still show the password no matter what
]1
2
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
