I got asked an interesting question about that would potentially apply to lots of products and thought it would be an interesting question to talk about here. It went like this:
Most sites have a sign in mechanism that takes passwords from end users via an ASP.NET textbox. We go onto to store that password in a string and, by definition then , strings are stored in managed memory on the heap, and if one happens to take a hang dump the password will be in clear text. It would also be true to say that we do not control exactly when the clear text password gets garbage collected. The question then is would immediately storing user entered passwords in a System.Net.NetworkCredential and/or System.Security.SecureString in ASP.NET provide any worthwhile security benefit.
My initial answer started as a "maybe" and finally morphed into a fairly strong "no".
To be clear there are lots of situations where managing sensitive information with SecureString is critical, let's look at a canonical command line example:
public static void Main()
{
using (var securePwd = new SecureString())
{
ConsoleKeyInfo key;
Console.Write("Enter password: ");
do
{
key = Console.ReadKey(true);
if (((int)key.Key) >= 65 && ((int)key.Key <= 90))
{
securePwd.AppendChar(key.KeyChar);
Console.Write("*");
}
}
while (key.Key != ConsoleKey.Enter);
Console.WriteLine();
try
{
Process.Start("Notepad.exe", "MyUser", securePwd, "MYDOMAIN");
}
catch (Win32Exception e)
{
Console.WriteLine(e.Message);
}
}
}
You can see in this console app I am appending each character directly SecureString so there are no strings floating about. I am also taking advantage of the using pattern and ensure that SecureString object will be disposed of quickly or I could have explicitly used the Dispose method to remove the memory more directly. Would such a pattern help in ASP.NET? I am inclined to think not. What is important to remember here is that strings are immutable (unchangeable) so after you create one for any reason anything you do to it ends up creating a new string for you to manipulate. With that in mind consider then how you get from w3wp process to your specific app domain in the following image.
If the information you are getting off the wire is all about strings to begin with whatever you deserialize that string into after the fact becomes the equivalent of closing the barn door after the horse has already bolted.
This is my loosely held opinion I would love for someone to present a contrary opinion, even if it covers a small use case where SecureString might be useful when handling passwords in this way.
Comments are closed.