Re: Secure Credential's pwd handling



If the "attacker" runs in the same logon session - secure string won't buy you *anything*.

try this tool

http://www.acorns.com.au/Projects/Hawkeye/

-----
Dominick Baier (http://www.leastprivilege.com)

Developing More Secure Microsoft ASP.NET 2.0 Applications (http://www.microsoft.com/mspress/books/9989.asp)

I completely respect your desire to try to make sure you do the best
you can in terms of securing this information. As you've seen, you
still need to transition to a plaintext representation to feed into
the NetworkCredentials object, so at some point the value will be in
memory. There isn't that much that you can do to prevent that.

If you need to store the password for multiple operations, you might
consider storing it in a SecureString and then converting it back to
string just when you need it, but it isn't clear that doing so will
provide you with a significant amount of protection. It is probably
better than doing nothing though.

SecureString is added to .NET to support this use case. The main
problem with it is that so many APIs from the previous version of .NET
don't use it and they have to continue to exist for backwards
compatibility, so the solution you get is incomplete. There isn't too
much you can do about this though.

Joe K.



.



Relevant Pages

  • Re: System.String vs SecureString
    ... Secure string seems to be a big waste of time. ... | this converted System.String object also not be deleted from memory from ... How can an attacker read the managed memory? ...
    (microsoft.public.dotnet.security)
  • Re: audit file location
    ... exploiting a flaw in your code is much harder if you don't know what you are looking for - and as you most often cannot put directories into directory traversal attacks - putting those files even on a separate hard disk/partition is even more secure. ... Dominick Baier - DevelopMentor ... If further away is more secure, then that means both ASP's security ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: audit file location
    ... Dominick Baier - DevelopMentor ... If further away is more secure, then that means both ASP's security ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • RE: Web Farm and machineKey
    ... it is unnecessary to use a 32 bit encryption key with AES - this is not more secure than 16 bytes but slower... ... Dominick Baier - DevelopMentor ...
    (microsoft.public.dotnet.framework.aspnet.security)