|
-
Mar 21st, 2007, 04:11 PM
#1
[2005] Handling password
I have a password protected app which obviously requires a user password and from which I generate a hash. Although I read the password into a SecureString, I cannot hash it without exposing the raw string.
Code:
Public Function MD5Hash(ByVal str As SecureString) As Byte()
'Compute Hash
Return MD5.ComputeHash(System.Text.ASCIIEncoding.ASCII.GetBytes(PtrToStringBSTR(SecureStringToBSTR(str))))
End Function
Exposing the string defeats the object of securing it. Any ideas how I can get out of doing this? This is the only place in the entire app where the users data is exposed in this way.
-
Mar 21st, 2007, 04:29 PM
#2
Re: [2005] Handling password
SecureString isn't all its cracked up to be really..
The very fact that a textbox which the user enters the data in has a .text property that is a regular string means its not really secure from the start.
The only thing I have seen to mininize exposure of the string, is after you marshal the string to an IntPtr using SecureStringToBSTR(), call Marshal.ZeroFreeBSTR() passing in the IntPtr you got from SecureStringToBSTR()
this obviously requires you expand your code out from being 1 single line...
SecureString is meant to minimize exposure on a given group of chars in memory and on the disk, but is by no means 100% secure. It just makes sure it doesn't hang around too long before being destroyed by the framework
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
Click Here to Expand Forum to Full Width
|