Comments on: SecureString: Safe from Forensics, but not Surveillance http://www.csharp411.com/securestring-safe-from-forensics-but-not-surveillance/ C# Development Fri, 03 Feb 2012 11:14:43 +0000 hourly 1 http://wordpress.org/?v=3.2.1 By: Roman http://www.csharp411.com/securestring-safe-from-forensics-but-not-surveillance/#comment-391 Roman Mon, 27 Sep 2010 08:47:57 +0000 http://www.mini-tools.com/at2/csharp/wordpress/securestring-safe-from-forensics-but-not-surveillance/#comment-391 Thanks for tutorial. I've been looking for some clear answer. Thanks for tutorial. I’ve been looking for some clear answer.

]]> By: timm http://www.csharp411.com/securestring-safe-from-forensics-but-not-surveillance/#comment-390 timm Fri, 14 Aug 2009 17:50:47 +0000 http://www.mini-tools.com/at2/csharp/wordpress/securestring-safe-from-forensics-but-not-surveillance/#comment-390 John, you are correct, if you use a standard WinForms TextBox to collect the string from the user, then it doesn't matter whether you use a SecureString to store it... your string has already been exposed in the TextBox's Text property. If you need a TextBox to obtain a secure string from the user, then you need a special TextBox that keeps the string secure. Here's a good example: http://coolthingoftheday.blogspot.com/2006/03/securepasswordtextbox-securestring.html John, you are correct, if you use a standard WinForms TextBox to collect the string from the user, then it doesn’t matter whether you use a SecureString to store it… your string has already been exposed in the TextBox’s Text property.

If you need a TextBox to obtain a secure string from the user, then you need a special TextBox that keeps the string secure. Here’s a good example:

http://coolthingoftheday.blogspot.com/2006/03/securepasswordtextbox-securestring.html

]]> By: John http://www.csharp411.com/securestring-safe-from-forensics-but-not-surveillance/#comment-389 John Tue, 11 Aug 2009 17:15:48 +0000 http://www.mini-tools.com/at2/csharp/wordpress/securestring-safe-from-forensics-but-not-surveillance/#comment-389 Okay -- am I seeing a chicken before the egg thing here? How can you populate one of these secure strings without an original string residing in memory at some point? If you get a password from a standard Winforms textbox wouldn't the Text property be stored in memory somewhere? And then you would have to break it into characters? Wouldn't that operation require a standard string? Doesn't this render the class by itself useless when used with standard .NET components? Okay — am I seeing a chicken before the egg thing here? How can you populate one of these secure strings without an original string residing in memory at some point? If you get a password from a standard Winforms textbox wouldn’t the Text property be stored in memory somewhere? And then you would have to break it into characters? Wouldn’t that operation require a standard string? Doesn’t this render the class by itself useless when used with standard .NET components?

]]> By: digital loss prevention guru http://www.csharp411.com/securestring-safe-from-forensics-but-not-surveillance/#comment-388 digital loss prevention guru Wed, 05 Nov 2008 21:22:45 +0000 http://www.mini-tools.com/at2/csharp/wordpress/securestring-safe-from-forensics-but-not-surveillance/#comment-388 I find it interesting that SecureString is impervious to forensic analysis by keeping its text encrypted while in memory. I find it interesting that SecureString is impervious to forensic analysis by keeping its text encrypted while in memory.

]]>