?
Solved

SecureString - display contents

Posted on 2014-11-21
12
Medium Priority
?
110 Views
Last Modified: 2014-11-22
I would like to give a user the opportunity to see a password that is stored in a SecureString.
eg.
Toggle between:
********
and
password

Looking at the help files I saw a ToString() funtion and an example of passing the secure string into a process.start so I (wrongly) assumed that displaying SecureStringVariable.ToString() would result in toggling ******** to password.  It doesn't.  It toggles ******** to System.Security.SecureString

Hmmm.  Not what I wanted.  :-(

Is there an easy way to get the contents of the SecureString into a string variable?
0
Comment
Question by:AndyAinscow
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 5
12 Comments
 
LVL 75

Expert Comment

by:käµfm³d 👽
ID: 40458207
Is there an easy way to get the contents of the SecureString into a string variable?
If you're going to do that, then you've defeated the purpose of SecureString, so why even use it?
0
 
LVL 75

Expert Comment

by:käµfm³d 👽
ID: 40458214
Also, from the documenation:

Note that SecureString has no members that inspect, compare, or convert the value of a SecureString.  The absence of such members helps protect the value of the instance from accidental or malicious exposure.
Maybe you could do some reflection, but since the internal string is encrypted, you'd have to locate the key (might require some decompilation of the library). But if you're going that route, I still contend my previous argument.
0
 
LVL 75

Expert Comment

by:käµfm³d 👽
ID: 40458223
On second glance at the docs, perhaps there's something in:

Use appropriate members of the System.Runtime.InteropServices.Marshal class, such as the SecureStringToBSTR method, to manipulate the value of a SecureString object.
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 44

Author Comment

by:AndyAinscow
ID: 40458232
>>If you're going to do that, then you've defeated the purpose of SecureString, so why even use it?
A touch of paranoia.  With C++ I could easily overwrite a piece of memory to erase it, the immutablity of .net strings prevents me doing that so the SecureString looked as if it could be useful.  (Never used it before today).  I'm having to  have a rethink about my strategy and requirements.  Maybe I'm too paranoid.
0
 
LVL 44

Author Comment

by:AndyAinscow
ID: 40458234
>>System.Runtime.InteropServices.Marshal
Seen that, thought I'd ask first rather than spending time re-inventing the wheel.
0
 
LVL 75

Accepted Solution

by:
käµfm³d   👽 earned 2000 total points
ID: 40458238
Well this appears to work:

SecureString s = new SecureString();

"hello".ToList().ForEach(c => s.AppendChar(c));

IntPtr ptr = System.Runtime.InteropServices.Marshal.SecureStringToBSTR(s);
string q = System.Runtime.InteropServices.Marshal.PtrToStringAuto(ptr);

Open in new window

0
 
LVL 44

Author Comment

by:AndyAinscow
ID: 40458239
I'm off line now until tomorrow.  Probably going to dream about 'the greasy pole' - three forward then slide two back.
0
 
LVL 44

Author Comment

by:AndyAinscow
ID: 40458243
Just seen your last comment.  I'll give it a go tomorrow - looks easier than I anticipated.
0
 
LVL 75

Expert Comment

by:käµfm³d 👽
ID: 40458249
With C++ I could easily overwrite a piece of memory to erase it, the immutablity of .net strings prevents me doing that...
Well since you appear to be going cowboy anyway  (  :-P  ) you could use unsafe code:

http://msdn.microsoft.com/en-us/library/ms228599.aspx (last example)
0
 
LVL 70

Expert Comment

by:Éric Moreau
ID: 40458416
I have an example at http://emoreau.com/Entries/Articles/2006/08/Strings-Strings-Strings.aspx showing how to get the content of a SecureString.
0
 
LVL 44

Author Comment

by:AndyAinscow
ID: 40459089
Thanks.  That works nicely.

>>Well since you appear to be going cowboy anyway
Just the Iron Horse versions:
http://www.ainscow.ch/bike/BikeMannhard.jpg


ps.  In my home country calling someone a cowboy when related to work is an insult.  A cowboy will just do a hack that usually will cost more to repair than the original job would have cost with a reputable firm in the first place.
0
 
LVL 75

Expert Comment

by:käµfm³d 👽
ID: 40459548
Point taken  : )
0

Featured Post

VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In order to hide the "ugly" records selectors (triangles) in the rowheaders, here are some suggestions. Microsoft doesn't have a direct method/property to do it. You can only hide the rowheader column. First solution, the easy way The first sol…
Introduction Although it is an old technology, serial ports are still being used by many hardware manufacturers. If you develop applications in C#, Microsoft .NET framework has SerialPort class to communicate with the serial ports.  I needed to…
Michael from AdRem Software outlines event notifications and Automatic Corrective Actions in network monitoring. Automatic Corrective Actions are scripts, which can automatically run upon discovery of a certain undesirable condition in your network.…
In this video you will find out how to export Office 365 mailboxes using the built in eDiscovery tool. Bear in mind that although this method might be useful in some cases, using PST files as Office 365 backup is troublesome in a long run (more on t…
Suggested Courses

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question