Saqib Ullah

BootStrapper Know How
  Home  |   Contact  |   Syndication    |   Login
  109 Posts | 1 Stories | 820 Comments | 15 Trackbacks

News



Article Categories

Archives

Post Categories

Blogging websites

Favourite Blogs

Private Links

Sites

Password with System.Security.SecureString Class in .Net 2.0
There is a new class, System.Security.SecureString . To understand the purpose of this class, think about eg. a password. You probably never want anyone to see the password, but if you store it in a simple System.String instance there are some security risks. For example, how do you get rid of the value when you've finished with the string? You can set the reference to the string to null , but the value itself is still in the managed heap. Indeed there may be several copies of it lurking around if the garbage collector has moved it during previous collections. Bluntly, the heap was never designed to guard against someone going through it with a memory dump tool. SecureString solves this kind of issue. Assigning a value to secure string is pretty simple and just like assigning a value to a string, eg: System.Security.SecureString pword = new System.Security.SecureString(); pword = "admin"; pword.Clear(); The value is stored in an encrypted form, and SecureString also has a Clear() method that completely wipes out the data. Extracting the value from a secure string is possible but complicated - and not often done.
  • Share This Post:
  • Share on Twitter
  • Share on Facebook
  • Share on Technorati
posted on Wednesday, November 29, 2006 11:52 PM

Feedback

# re: Password with System.Security.SecureString Class in .Net 2.0 10/7/2008 8:08 PM duggal
how to assign value. you have poseted wrong info.
pword = "admin"; never works.

# re: Password with System.Security.SecureString Class in .Net 2.0 1/7/2009 12:11 PM Cassidy
You can assign a value to a SecureString as follows:

SecureString secureString = new secureString();
string myPassword = "secret";

foreach (char c in myPassword)
secureString.AppendChar(c);

secureString.MakeReadOnly();


# re: Password with System.Security.SecureString Class in .Net 2.0 4/29/2011 3:21 AM Michael
I hope no one ever assigns a value like Cassidy shows. That method still generates a clear text string on the heap and can still be extracted. You have to move away from thinking of whole strings and start thinking about character by character operations here. You assign the value of a SecurityString by using the class's AppendChar(char) method and you call this on each keypress. That event handler should look like this:

System.Security.SecureString ss = new System.Security.SecureString();

public Form1()
{
InitializeComponent();
}

void Form1_KeyPress(object sender, KeyPressEventArgs e)
{
try
{
switch (e.KeyChar)
{
case (char)Keys.Enter:
ss.MakeReadOnly();
HandleSecurePassword(ss);
break;
case (char)Keys.Back:
ss.RemoveAt(ss.Length - 1);
break;
default:
if (!ss.IsReadOnly())
{
ss.AppendChar(e.KeyChar);
}
break;
}
}
catch (ObjectDisposedException)
{
ss = new System.Security.SecureString();
MessageBox.Show("your string was disposed at some point. you should be able to try again");
}
catch (ArgumentOutOfRangeException)
{ } //do nothing. at best you're trying to press backspace on an empty string. this isn't special enough to warrant a modal dialog. maybe after 1000 tries you might want to pop up and tell the user they're doing something stupid. ;)
}

private void HandleSecurePassword(System.Security.SecureString ss)
{
//logic goes here
}

# re: Password with System.Security.SecureString Class in .Net 2.0 4/29/2011 3:24 AM Michael
Another comment. After you press enter and HandleSecurityPassword executes you should be able to just new another SecurityString object to ss if that would make sense in what you're trying to do. Otherwise, according to this code, ss's value will never change after you press enter.

# re: Password with System.Security.SecureString Class in .Net 2.0 7/8/2011 5:51 PM xueyaliu
<a href=http://www.cheapsneakercn.com">cheap shoes

# re: Password with System.Security.SecureString Class in .Net 2.0 7/26/2011 9:11 AM New Year 2012
What youre saying is completely true. I know that everybody must say the same thing, but I just think that you put it in a way that everyone can understand. I also love the images you put in here. They fit so well with what youre trying to say. Im sure youll reach so many people with what youve got to say.

# re: Password with System.Security.SecureString Class in .Net 2.0 7/26/2011 9:13 AM Singapore Travel
Great post! I?m just starting out in community management/marketing media and trying to learn how to do it well - resources like this article are incredibly helpful. As our company is based in the US, it?s all a bit new to us. The example above is something that I worry about as well, how to show your own genuine enthusiasm and share the fact that your product is useful in that case


# re: Password with System.Security.SecureString Class in .Net 2.0 7/26/2011 9:16 AM Holiday Forum
I must admit that this is one great insight. It surely gives a company the opportunity to get in on the ground floor and really take part in creating something special and tailored to their needs.

# re: Password with System.Security.SecureString Class in .Net 2.0 12/18/2011 6:25 PM Inexpensive Bridesmaid Dresses
pale yellow and lavender in spring will be a good deal much less high-priced. Also choosing colours that are readily available can cost less than obtaining custom fabric with alternative of certain colours.





# re: Password with System.Security.SecureString Class in .Net 2.0 1/6/2012 11:23 AM agen bola
I think this is one of the most important information for me. And i am glad reading your article. But want to remark on some general things, The site style is ideal, the articles is really great

Post A Comment
Title:
Name:
Email:
Website:
Comment:
Verification: