Isn't password revealed with PasswordBox.Password property?

Question

The msdn documentation on PasswordBox.Password says:

When you get the Password property value, you expose the password as plain text in memory. To avoid this potential security risk, use the SecurePassword property to get the password as a SecureString.

So I send SecurePassword to my view model on PasswordChanged event, expecting everything to be secure, but if I inspect my application with Snoop, in PasswordBox's Password property I see the password I entered in plain text. Does that not kill the whole purpose of using SecurePassword? Is there anything else I should do here to protect the passwords?

Answer 1

This is my humble opinion.

Snoop injects its code in running application. So, it's basically a hacking tool. A very easy-to-use hacking tool, which works only with your GUI. This is why simply changing visibility of any item to hide some data from user is a poor secutity desicion. Everything about restrictions, access and security shouldn't be handled at UI layer. There are ways on How to Snoop proof your wpf application? but main point of answers there is that you have to design your application in the way, which doesn't allow snoop to violate anything. Validate everything on the server, for example.

Back to your question:

There are two scenarios. First one is: user creates a password. I believe this is not a concern, if a user or user's malware will see the password at this moment. Then you receive and store secured string. And clear user's password.

Second scenario: you display a stored password to user. The trick is - you don't display it. You know a length of a password, so you can display just disabled textbox with ****. And if a user wants to change a password - you give him actual passwordboxes, which he has to fill with old password and new one and we are back to scenario #1.

The silver lining is:

When a user inputs a password it's not a big deal, that it is lying in clear text somewhere in a memory, since a user knows what he've typed and malware can track keys pressed.

After you've stored the password you never ever give it back to user

---

Update: This is a source code for Password property of a Password box

   public string Password
        {
            [SecurityCritical]
            get
            {
                string password;

                using (SecureString securePassword = this.SecurePassword)
                {
                    IntPtr ptr = System.Runtime.InteropServices.Marshal.SecureStringToBSTR(securePassword);

                    try
                    {
                        unsafe
                        {
                            password = new string((char*)ptr);
                        }
                    }
                    finally
                    {
                        System.Runtime.InteropServices.Marshal.ZeroFreeBSTR(ptr);
                    }
                }

                return password;
            }

So, I guess what MSDN is saying, is that whenever you access Password property, by calling it in code (or viewing it in VS while debugging, or viewing it it Snoop) you call it's get method, which decrypts SecuredString to plain text, what exposes it to memory. If you don't call Password property and don't call it by inspecting in software tools, then password doesn't show up in memory in plain text.