Solved

SecureString - display contents

Posted on 2014-11-21
12
89 Views
Last Modified: 2014-11-22
I would like to give a user the opportunity to see a password that is stored in a SecureString.
eg.
Toggle between:
********
and
password

Looking at the help files I saw a ToString() funtion and an example of passing the secure string into a process.start so I (wrongly) assumed that displaying SecureStringVariable.ToString() would result in toggling ******** to password.  It doesn't.  It toggles ******** to System.Security.SecureString

Hmmm.  Not what I wanted.  :-(

Is there an easy way to get the contents of the SecureString into a string variable?
0
Comment
Question by:AndyAinscow
  • 6
  • 5
12 Comments
 
LVL 74

Expert Comment

by:käµfm³d 👽
Comment Utility
Is there an easy way to get the contents of the SecureString into a string variable?
If you're going to do that, then you've defeated the purpose of SecureString, so why even use it?
0
 
LVL 74

Expert Comment

by:käµfm³d 👽
Comment Utility
Also, from the documenation:

Note that SecureString has no members that inspect, compare, or convert the value of a SecureString.  The absence of such members helps protect the value of the instance from accidental or malicious exposure.
Maybe you could do some reflection, but since the internal string is encrypted, you'd have to locate the key (might require some decompilation of the library). But if you're going that route, I still contend my previous argument.
0
 
LVL 74

Expert Comment

by:käµfm³d 👽
Comment Utility
On second glance at the docs, perhaps there's something in:

Use appropriate members of the System.Runtime.InteropServices.Marshal class, such as the SecureStringToBSTR method, to manipulate the value of a SecureString object.
0
 
LVL 44

Author Comment

by:AndyAinscow
Comment Utility
>>If you're going to do that, then you've defeated the purpose of SecureString, so why even use it?
A touch of paranoia.  With C++ I could easily overwrite a piece of memory to erase it, the immutablity of .net strings prevents me doing that so the SecureString looked as if it could be useful.  (Never used it before today).  I'm having to  have a rethink about my strategy and requirements.  Maybe I'm too paranoid.
0
 
LVL 44

Author Comment

by:AndyAinscow
Comment Utility
>>System.Runtime.InteropServices.Marshal
Seen that, thought I'd ask first rather than spending time re-inventing the wheel.
0
 
LVL 74

Accepted Solution

by:
käµfm³d   👽 earned 500 total points
Comment Utility
Well this appears to work:

SecureString s = new SecureString();

"hello".ToList().ForEach(c => s.AppendChar(c));

IntPtr ptr = System.Runtime.InteropServices.Marshal.SecureStringToBSTR(s);
string q = System.Runtime.InteropServices.Marshal.PtrToStringAuto(ptr);

Open in new window

0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 44

Author Comment

by:AndyAinscow
Comment Utility
I'm off line now until tomorrow.  Probably going to dream about 'the greasy pole' - three forward then slide two back.
0
 
LVL 44

Author Comment

by:AndyAinscow
Comment Utility
Just seen your last comment.  I'll give it a go tomorrow - looks easier than I anticipated.
0
 
LVL 74

Expert Comment

by:käµfm³d 👽
Comment Utility
With C++ I could easily overwrite a piece of memory to erase it, the immutablity of .net strings prevents me doing that...
Well since you appear to be going cowboy anyway  (  :-P  ) you could use unsafe code:

http://msdn.microsoft.com/en-us/library/ms228599.aspx (last example)
0
 
LVL 69

Expert Comment

by:Éric Moreau
Comment Utility
I have an example at http://emoreau.com/Entries/Articles/2006/08/Strings-Strings-Strings.aspx showing how to get the content of a SecureString.
0
 
LVL 44

Author Comment

by:AndyAinscow
Comment Utility
Thanks.  That works nicely.

>>Well since you appear to be going cowboy anyway
Just the Iron Horse versions:
http://www.ainscow.ch/bike/BikeMannhard.jpg


ps.  In my home country calling someone a cowboy when related to work is an insult.  A cowboy will just do a hack that usually will cost more to repair than the original job would have cost with a reputable firm in the first place.
0
 
LVL 74

Expert Comment

by:käµfm³d 👽
Comment Utility
Point taken  : )
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Suggested Solutions

Extention Methods in C# 3.0 by Ivo Stoykov C# 3.0 offers extension methods. They allow extending existing classes without changing the class's source code or relying on inheritance. These are static methods invoked as instance method. This…
It was really hard time for me to get the understanding of Delegates in C#. I went through many websites and articles but I found them very clumsy. After going through those sites, I noted down the points in a easy way so here I am sharing that unde…
Illustrator's Shape Builder tool will let you combine shapes visually and interactively. This video shows the Mac version, but the tool works the same way in Windows. To follow along with this video, you can draw your own shapes or download the file…
This video shows how to remove a single email address from the Outlook 2010 Auto Suggestion memory. NOTE: For Outlook 2016 and 2013 perform the exact same steps. Open a new email: Click the New email button in Outlook. Start typing the address: …

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now