Is there a specific type for passwords other than String in . Net?

Asked

Viewed 146 times

7

I see very commonly the use of strings to store passwords in the program memory, not only on . Net, but in all the programming languages I’ve used.

At first, I don’t see a problem in it. But as I know the ecosystem of the . Net is HUGE, I came up with this curiosity: Is there some kind optimized to store passwords, or the string is the only one? And if there is, is it worth it? Or strings are enough?

.net string security-guard passwords
  • 1

    http://msdn.microsoft.com/en-us/library/system.security.securestring%28v=vs.110%29.aspx

  • @luiscubal I just saw this guy. If you have experience with this guy and can answer the two other questions, I will be grateful.

1 answer

8


The guy Securestring is described by the documentation as follows:

Represents text that should be kept confidential. It is encrypted to privacy when it is being used, and erased from the memory of computer when no longer needed.

This type implements the interface IDisposable and it is through the method Dispose indicating that it must be deleted from the memory.

Several. NET classes that handle passwords, including the WPF Passwordbox, include methods or properties using this class.

The purpose of this class is to prevent passwords from being stored on disk (swap) and make it more difficult (though not impossible) for an attacker with access to computer memory to find out what the password value is.

Of course, this class is only interested if the password never even becomes available as a string or byte[] conventional.

Also relevant: https://stackoverflow.com/questions/141203/when-would-i-need-a-securestring-in-net (in English)

  • I think I got it... it’s only worth it if you create the character-by-character password, for example, since you turn a string into SecureString would not be useful since you already have an "insecure" string in memory. That’s it?

  • 1

    @Andréleria In practice, yes. However, if you already have an API that keeps the string in memory, you may still be interested in converting to SecureString, case to SecureString is used for a long time. In this case, the garbage collector may release the string and leave the SecureString live for the rest of the time. But the ideal is to have her in Securestring all the time.

Browser other questions tagged .net string security-guard passwords

You are not signed in. Login or sign up in order to post.