Results 1 to 2 of 2

Thread: [2005] Handling password

  1. #1

    Thread Starter
    Frenzied Member
    Join Date
    Jun 2005
    Posts
    1,950

    [2005] Handling password

    I have a password protected app which obviously requires a user password and from which I generate a hash. Although I read the password into a SecureString, I cannot hash it without exposing the raw string.

    Code:
        Public Function MD5Hash(ByVal str As SecureString) As Byte()
            'Compute Hash
            Return MD5.ComputeHash(System.Text.ASCIIEncoding.ASCII.GetBytes(PtrToStringBSTR(SecureStringToBSTR(str))))
        End Function
    Exposing the string defeats the object of securing it. Any ideas how I can get out of doing this? This is the only place in the entire app where the users data is exposed in this way.

  2. #2
    I'm about to be a PowerPoster! kleinma's Avatar
    Join Date
    Nov 2001
    Location
    NJ - USA (Near NYC)
    Posts
    23,373

    Re: [2005] Handling password

    SecureString isn't all its cracked up to be really..

    The very fact that a textbox which the user enters the data in has a .text property that is a regular string means its not really secure from the start.

    The only thing I have seen to mininize exposure of the string, is after you marshal the string to an IntPtr using SecureStringToBSTR(), call Marshal.ZeroFreeBSTR() passing in the IntPtr you got from SecureStringToBSTR()

    this obviously requires you expand your code out from being 1 single line...

    SecureString is meant to minimize exposure on a given group of chars in memory and on the disk, but is by no means 100% secure. It just makes sure it doesn't hang around too long before being destroyed by the framework

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  



Click Here to Expand Forum to Full Width