Comments on: SecureString: Safe from Forensics, but not Surveillance http://www.csharp411.com/securestring-safe-from-forensics-but-not-surveillance/ C# Information, Code, Tips and News Sat, 24 Jul 2010 01:26:51 -0400 http://wordpress.org/?v=2.8.6 hourly 1 By: timm http://www.csharp411.com/securestring-safe-from-forensics-but-not-surveillance/comment-page-1/#comment-5258 timm Fri, 14 Aug 2009 17:50:47 +0000 http://www.mini-tools.com/at2/csharp/wordpress/securestring-safe-from-forensics-but-not-surveillance/#comment-5258 John, you are correct, if you use a standard WinForms TextBox to collect the string from the user, then it doesn't matter whether you use a SecureString to store it... your string has already been exposed in the TextBox's Text property. If you need a TextBox to obtain a secure string from the user, then you need a special TextBox that keeps the string secure. Here's a good example: http://coolthingoftheday.blogspot.com/2006/03/securepasswordtextbox-securestring.html John, you are correct, if you use a standard WinForms TextBox to collect the string from the user, then it doesn't matter whether you use a SecureString to store it… your string has already been exposed in the TextBox's Text property.

If you need a TextBox to obtain a secure string from the user, then you need a special TextBox that keeps the string secure. Here's a good example:

http://coolthingoftheday.blogspot.com/2006/03/securepasswordtextbox-securestring.html

]]> By: John http://www.csharp411.com/securestring-safe-from-forensics-but-not-surveillance/comment-page-1/#comment-5254 John Tue, 11 Aug 2009 17:15:48 +0000 http://www.mini-tools.com/at2/csharp/wordpress/securestring-safe-from-forensics-but-not-surveillance/#comment-5254 Okay -- am I seeing a chicken before the egg thing here? How can you populate one of these secure strings without an original string residing in memory at some point? If you get a password from a standard Winforms textbox wouldn't the Text property be stored in memory somewhere? And then you would have to break it into characters? Wouldn't that operation require a standard string? Doesn't this render the class by itself useless when used with standard .NET components? Okay — am I seeing a chicken before the egg thing here? How can you populate one of these secure strings without an original string residing in memory at some point? If you get a password from a standard Winforms textbox wouldn't the Text property be stored in memory somewhere? And then you would have to break it into characters? Wouldn't that operation require a standard string? Doesn't this render the class by itself useless when used with standard .NET components?

]]> By: digital loss prevention guru http://www.csharp411.com/securestring-safe-from-forensics-but-not-surveillance/comment-page-1/#comment-3661 digital loss prevention guru Wed, 05 Nov 2008 21:22:45 +0000 http://www.mini-tools.com/at2/csharp/wordpress/securestring-safe-from-forensics-but-not-surveillance/#comment-3661 I find it interesting that SecureString is impervious to forensic analysis by keeping its text encrypted while in memory. I find it interesting that SecureString is impervious to forensic analysis by keeping its text encrypted while in memory.

]]>