3

MSDN example here reads character by character in order to prepare secure string. which is possible in console or desktop applications. I do not see any direct way to read user password character by character in case of pure asp.net. Whatever technique I use, I end up storing password into some kind of string or make use of TextBox.Text which internally returns String. SecureString prevents revelation of information to the hacker. In case of asp.net, If hacker who gains access to memory can definitely read textbox.text and finds out the information. Moreover, Web application is deployed on server and server will be highly secured. Which definitely prevent hacker's direct access to memory.

So, Is SecureString really usefull in asp.net?

Ashif Nataliya
  • 912
  • 2
  • 13
  • 28
  • But he says "it makes little sense". Shouldn't it be "it makes no sense".? because it does not serve its purpose in asp.net. SecureString claims that it prevent revelation. But does it 100% prevent revelation in asp.net? – Ashif Nataliya May 21 '14 at 07:59
  • 2
    `SecureString` isn't useful against hackers who can read your application's memory. It only prevents accidental leaks via swap file, crash dump, etc. It also allows you to wipe the password once you don't need it anymore, whereas normal strings can linger for a long time. – CodesInChaos May 21 '14 at 08:09
  • @CodesInChaos yes, with debug diag or ClrMD, I can easy inspect memory and reveal unsecure strings – Cybermaxs May 21 '14 at 08:15

0 Answers0