Re: Secure Credential's pwd handling
- From: Dominick Baier <dbaier@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Wed, 29 Aug 2007 20:26:41 +0000 (UTC)
If the "attacker" runs in the same logon session - secure string won't buy you *anything*.
try this tool
http://www.acorns.com.au/Projects/Hawkeye/
-----
Dominick Baier (http://www.leastprivilege.com)
Developing More Secure Microsoft ASP.NET 2.0 Applications (http://www.microsoft.com/mspress/books/9989.asp)
I completely respect your desire to try to make sure you do the best
you can in terms of securing this information. As you've seen, you
still need to transition to a plaintext representation to feed into
the NetworkCredentials object, so at some point the value will be in
memory. There isn't that much that you can do to prevent that.
If you need to store the password for multiple operations, you might
consider storing it in a SecureString and then converting it back to
string just when you need it, but it isn't clear that doing so will
provide you with a significant amount of protection. It is probably
better than doing nothing though.
SecureString is added to .NET to support this use case. The main
problem with it is that so many APIs from the previous version of .NET
don't use it and they have to continue to exist for backwards
compatibility, so the solution you get is incomplete. There isn't too
much you can do about this though.
Joe K.
.
- References:
- Re: Secure Credential's pwd handling
- From: Joe Kaplan
- Re: Secure Credential's pwd handling
- Prev by Date: Re: I want to read a .pfx and use the private key to sign a document, is that "that" bad?
- Next by Date: Re: How to convert a SecureString into an encrypted String in a secure manner?
- Previous by thread: Re: Secure Credential's pwd handling
- Next by thread: Re: Secure Credential's pwd handling
- Index(es):
Relevant Pages
|
