Solved

SecureString - display contents

Posted on 2014-11-21
12
99 Views
Last Modified: 2014-11-22
I would like to give a user the opportunity to see a password that is stored in a SecureString.
eg.
Toggle between:
********
and
password

Looking at the help files I saw a ToString() funtion and an example of passing the secure string into a process.start so I (wrongly) assumed that displaying SecureStringVariable.ToString() would result in toggling ******** to password.  It doesn't.  It toggles ******** to System.Security.SecureString

Hmmm.  Not what I wanted.  :-(

Is there an easy way to get the contents of the SecureString into a string variable?
0
Comment
Question by:AndyAinscow
  • 6
  • 5
12 Comments
 
LVL 75

Expert Comment

by:käµfm³d 👽
ID: 40458207
Is there an easy way to get the contents of the SecureString into a string variable?
If you're going to do that, then you've defeated the purpose of SecureString, so why even use it?
0
 
LVL 75

Expert Comment

by:käµfm³d 👽
ID: 40458214
Also, from the documenation:

Note that SecureString has no members that inspect, compare, or convert the value of a SecureString.  The absence of such members helps protect the value of the instance from accidental or malicious exposure.
Maybe you could do some reflection, but since the internal string is encrypted, you'd have to locate the key (might require some decompilation of the library). But if you're going that route, I still contend my previous argument.
0
 
LVL 75

Expert Comment

by:käµfm³d 👽
ID: 40458223
On second glance at the docs, perhaps there's something in:

Use appropriate members of the System.Runtime.InteropServices.Marshal class, such as the SecureStringToBSTR method, to manipulate the value of a SecureString object.
0
Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

 
LVL 44

Author Comment

by:AndyAinscow
ID: 40458232
>>If you're going to do that, then you've defeated the purpose of SecureString, so why even use it?
A touch of paranoia.  With C++ I could easily overwrite a piece of memory to erase it, the immutablity of .net strings prevents me doing that so the SecureString looked as if it could be useful.  (Never used it before today).  I'm having to  have a rethink about my strategy and requirements.  Maybe I'm too paranoid.
0
 
LVL 44

Author Comment

by:AndyAinscow
ID: 40458234
>>System.Runtime.InteropServices.Marshal
Seen that, thought I'd ask first rather than spending time re-inventing the wheel.
0
 
LVL 75

Accepted Solution

by:
käµfm³d   👽 earned 500 total points
ID: 40458238
Well this appears to work:

SecureString s = new SecureString();

"hello".ToList().ForEach(c => s.AppendChar(c));

IntPtr ptr = System.Runtime.InteropServices.Marshal.SecureStringToBSTR(s);
string q = System.Runtime.InteropServices.Marshal.PtrToStringAuto(ptr);

Open in new window

0
 
LVL 44

Author Comment

by:AndyAinscow
ID: 40458239
I'm off line now until tomorrow.  Probably going to dream about 'the greasy pole' - three forward then slide two back.
0
 
LVL 44

Author Comment

by:AndyAinscow
ID: 40458243
Just seen your last comment.  I'll give it a go tomorrow - looks easier than I anticipated.
0
 
LVL 75

Expert Comment

by:käµfm³d 👽
ID: 40458249
With C++ I could easily overwrite a piece of memory to erase it, the immutablity of .net strings prevents me doing that...
Well since you appear to be going cowboy anyway  (  :-P  ) you could use unsafe code:

http://msdn.microsoft.com/en-us/library/ms228599.aspx (last example)
0
 
LVL 70

Expert Comment

by:Éric Moreau
ID: 40458416
I have an example at http://emoreau.com/Entries/Articles/2006/08/Strings-Strings-Strings.aspx showing how to get the content of a SecureString.
0
 
LVL 44

Author Comment

by:AndyAinscow
ID: 40459089
Thanks.  That works nicely.

>>Well since you appear to be going cowboy anyway
Just the Iron Horse versions:
http://www.ainscow.ch/bike/BikeMannhard.jpg


ps.  In my home country calling someone a cowboy when related to work is an insult.  A cowboy will just do a hack that usually will cost more to repair than the original job would have cost with a reputable firm in the first place.
0
 
LVL 75

Expert Comment

by:käµfm³d 👽
ID: 40459548
Point taken  : )
0

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Introduction Although it is an old technology, serial ports are still being used by many hardware manufacturers. If you develop applications in C#, Microsoft .NET framework has SerialPort class to communicate with the serial ports.  I needed to…
Introduction Hi all and welcome to my first article on Experts Exchange. A while ago, someone asked me if i could do some tutorials on object oriented programming. I decided to do them on C#. Now you may ask me, why's that? Well, one of the re…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
Finds all prime numbers in a range requested and places them in a public primes() array. I've demostrated a template size of 30 (2 * 3 * 5) but larger templates can be built such 210  (2 * 3 * 5 * 7) or 2310  (2 * 3 * 5 * 7 * 11). The larger templa…

840 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question