Solved

SecureString - display contents

Posted on 2014-11-21
12
108 Views
Last Modified: 2014-11-22
I would like to give a user the opportunity to see a password that is stored in a SecureString.
eg.
Toggle between:
********
and
password

Looking at the help files I saw a ToString() funtion and an example of passing the secure string into a process.start so I (wrongly) assumed that displaying SecureStringVariable.ToString() would result in toggling ******** to password.  It doesn't.  It toggles ******** to System.Security.SecureString

Hmmm.  Not what I wanted.  :-(

Is there an easy way to get the contents of the SecureString into a string variable?
0
Comment
Question by:AndyAinscow
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 5
12 Comments
 
LVL 75

Expert Comment

by:käµfm³d 👽
ID: 40458207
Is there an easy way to get the contents of the SecureString into a string variable?
If you're going to do that, then you've defeated the purpose of SecureString, so why even use it?
0
 
LVL 75

Expert Comment

by:käµfm³d 👽
ID: 40458214
Also, from the documenation:

Note that SecureString has no members that inspect, compare, or convert the value of a SecureString.  The absence of such members helps protect the value of the instance from accidental or malicious exposure.
Maybe you could do some reflection, but since the internal string is encrypted, you'd have to locate the key (might require some decompilation of the library). But if you're going that route, I still contend my previous argument.
0
 
LVL 75

Expert Comment

by:käµfm³d 👽
ID: 40458223
On second glance at the docs, perhaps there's something in:

Use appropriate members of the System.Runtime.InteropServices.Marshal class, such as the SecureStringToBSTR method, to manipulate the value of a SecureString object.
0
Online Training Solution

Drastically shorten your training time with WalkMe's advanced online training solution that Guides your trainees to action. Forget about retraining and skyrocket knowledge retention rates.

 
LVL 44

Author Comment

by:AndyAinscow
ID: 40458232
>>If you're going to do that, then you've defeated the purpose of SecureString, so why even use it?
A touch of paranoia.  With C++ I could easily overwrite a piece of memory to erase it, the immutablity of .net strings prevents me doing that so the SecureString looked as if it could be useful.  (Never used it before today).  I'm having to  have a rethink about my strategy and requirements.  Maybe I'm too paranoid.
0
 
LVL 44

Author Comment

by:AndyAinscow
ID: 40458234
>>System.Runtime.InteropServices.Marshal
Seen that, thought I'd ask first rather than spending time re-inventing the wheel.
0
 
LVL 75

Accepted Solution

by:
käµfm³d   👽 earned 500 total points
ID: 40458238
Well this appears to work:

SecureString s = new SecureString();

"hello".ToList().ForEach(c => s.AppendChar(c));

IntPtr ptr = System.Runtime.InteropServices.Marshal.SecureStringToBSTR(s);
string q = System.Runtime.InteropServices.Marshal.PtrToStringAuto(ptr);

Open in new window

0
 
LVL 44

Author Comment

by:AndyAinscow
ID: 40458239
I'm off line now until tomorrow.  Probably going to dream about 'the greasy pole' - three forward then slide two back.
0
 
LVL 44

Author Comment

by:AndyAinscow
ID: 40458243
Just seen your last comment.  I'll give it a go tomorrow - looks easier than I anticipated.
0
 
LVL 75

Expert Comment

by:käµfm³d 👽
ID: 40458249
With C++ I could easily overwrite a piece of memory to erase it, the immutablity of .net strings prevents me doing that...
Well since you appear to be going cowboy anyway  (  :-P  ) you could use unsafe code:

http://msdn.microsoft.com/en-us/library/ms228599.aspx (last example)
0
 
LVL 70

Expert Comment

by:Éric Moreau
ID: 40458416
I have an example at http://emoreau.com/Entries/Articles/2006/08/Strings-Strings-Strings.aspx showing how to get the content of a SecureString.
0
 
LVL 44

Author Comment

by:AndyAinscow
ID: 40459089
Thanks.  That works nicely.

>>Well since you appear to be going cowboy anyway
Just the Iron Horse versions:
http://www.ainscow.ch/bike/BikeMannhard.jpg


ps.  In my home country calling someone a cowboy when related to work is an insult.  A cowboy will just do a hack that usually will cost more to repair than the original job would have cost with a reputable firm in the first place.
0
 
LVL 75

Expert Comment

by:käµfm³d 👽
ID: 40459548
Point taken  : )
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Introduction Although it is an old technology, serial ports are still being used by many hardware manufacturers. If you develop applications in C#, Microsoft .NET framework has SerialPort class to communicate with the serial ports.  I needed to…
Performance in games development is paramount: every microsecond counts to be able to do everything in less than 33ms (aiming at 16ms). C# foreach statement is one of the worst performance killers, and here I explain why.
There's a multitude of different network monitoring solutions out there, and you're probably wondering what makes NetCrunch so special. It's completely agentless, but does let you create an agent, if you desire. It offers powerful scalability …
This tutorial will teach you the special effect of super speed similar to the fictional character Wally West aka "The Flash" After Shake : http://www.videocopilot.net/presets/after_shake/ All lightning effects with instructions : http://www.mediaf…

717 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question