Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

SecureString for storing in memory and presenting passwords? Or something else?

Tags:

c#

security

memory

securestring

I have been writing a little program for myself using C# that I can use to store my passwords and then retrieve them for viewing/editing.

While the passwords are stored to disk in an encrypted format, when they are read into memory for display/editing on a form, they are unencrypted.

I have learned that having unencrypted passwords in memory is a pretty big security problem, so I came across the SecureString class.

Would there be a more secure way to do this than using the SecureString class, or does SecureString live up to its name?

like image 435
bertusaurus Avatar asked Jun 26 '11 11:06

bertusaurus

People also ask

What is a SecureString?

SecureString is a string type that provides a measure of security. It tries to avoid storing potentially sensitive strings in process memory as plain text. (For limitations, however, see the How secure is SecureString? section.)

What is the best method of storing user passwords for a system?

Hash all passwords In password storage, hashing is superior to encryption since a hash can't be reversed. If a user attempts to log in, you can recreate the hash from the password they entered and check if the new hash matches the one you saved at sign up.

Are passwords stored in memory?

Passwords must be stored in memory (RAM) on a computer so that the operating system is able to validate the password entered by a user.

What is a SecureString in PowerShell?

In PowerShell, there are a number of cmdlets that work with something called a secure string. When you create a saved credential object, the password is stored as a secure string.

1 Answers

SecureString keeps its text encrypted in the memory and you can dispose it immediately when you don't need it. The problem is, when you want to display it or use it in almost any other way, you have to convert it to normal string, which is not secure.

Also, I wouldn't rely on it too much – the system is able to decrypt it without any decryption key, which means determined hacker will most likely be able to do the same. When a hacker gains control of your computer, you can't be sure of anything and he will be probably able to access anything that's not encrypted using a good algorithm with good key.

like image 147
svick Avatar answered Sep 28 '22 08:09

svick
Sign in to Comment

Related questions

C#: most readable string concatenation. best practice [duplicate]
add generic Action<T> delegates to a list
Thread Renaming
Sending an exception from thread to main thread?
Can anybody explain OAuth?
does nulling a System.Threading.Timer stop it?
Parameter count mismatch with Invoke?
Two's complement conversion
What's the fastest way to compare two arrays for equality?
DateTimePicker never updates!
ANTLR: Get token name?
Conversion of BitmapImage to Byte array
Call C# dll function from C++/CLI
find week ending date of last completed week
LINQ to XML: How to select the next element
FormsAuthenticationTicket.expiration v web.config value timeout
Translation of C# ActionCommand:ICommand into VB.net
How can I bind Foreground to a property in my ViewModel?
Tri-State Checkboxes in WinForms TreeView
What does Random(int seed) guarantee?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!