Solved

SecureString - display contents

Posted on 2014-11-21
12
93 Views
Last Modified: 2014-11-22
I would like to give a user the opportunity to see a password that is stored in a SecureString.
eg.
Toggle between:
********
and
password

Looking at the help files I saw a ToString() funtion and an example of passing the secure string into a process.start so I (wrongly) assumed that displaying SecureStringVariable.ToString() would result in toggling ******** to password.  It doesn't.  It toggles ******** to System.Security.SecureString

Hmmm.  Not what I wanted.  :-(

Is there an easy way to get the contents of the SecureString into a string variable?
0
Comment
Question by:AndyAinscow
  • 6
  • 5
12 Comments
 
LVL 75

Expert Comment

by:käµfm³d 👽
ID: 40458207
Is there an easy way to get the contents of the SecureString into a string variable?
If you're going to do that, then you've defeated the purpose of SecureString, so why even use it?
0
 
LVL 75

Expert Comment

by:käµfm³d 👽
ID: 40458214
Also, from the documenation:

Note that SecureString has no members that inspect, compare, or convert the value of a SecureString.  The absence of such members helps protect the value of the instance from accidental or malicious exposure.
Maybe you could do some reflection, but since the internal string is encrypted, you'd have to locate the key (might require some decompilation of the library). But if you're going that route, I still contend my previous argument.
0
 
LVL 75

Expert Comment

by:käµfm³d 👽
ID: 40458223
On second glance at the docs, perhaps there's something in:

Use appropriate members of the System.Runtime.InteropServices.Marshal class, such as the SecureStringToBSTR method, to manipulate the value of a SecureString object.
0
 
LVL 44

Author Comment

by:AndyAinscow
ID: 40458232
>>If you're going to do that, then you've defeated the purpose of SecureString, so why even use it?
A touch of paranoia.  With C++ I could easily overwrite a piece of memory to erase it, the immutablity of .net strings prevents me doing that so the SecureString looked as if it could be useful.  (Never used it before today).  I'm having to  have a rethink about my strategy and requirements.  Maybe I'm too paranoid.
0
 
LVL 44

Author Comment

by:AndyAinscow
ID: 40458234
>>System.Runtime.InteropServices.Marshal
Seen that, thought I'd ask first rather than spending time re-inventing the wheel.
0
 
LVL 75

Accepted Solution

by:
käµfm³d   👽 earned 500 total points
ID: 40458238
Well this appears to work:

SecureString s = new SecureString();

"hello".ToList().ForEach(c => s.AppendChar(c));

IntPtr ptr = System.Runtime.InteropServices.Marshal.SecureStringToBSTR(s);
string q = System.Runtime.InteropServices.Marshal.PtrToStringAuto(ptr);

Open in new window

0
Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

 
LVL 44

Author Comment

by:AndyAinscow
ID: 40458239
I'm off line now until tomorrow.  Probably going to dream about 'the greasy pole' - three forward then slide two back.
0
 
LVL 44

Author Comment

by:AndyAinscow
ID: 40458243
Just seen your last comment.  I'll give it a go tomorrow - looks easier than I anticipated.
0
 
LVL 75

Expert Comment

by:käµfm³d 👽
ID: 40458249
With C++ I could easily overwrite a piece of memory to erase it, the immutablity of .net strings prevents me doing that...
Well since you appear to be going cowboy anyway  (  :-P  ) you could use unsafe code:

http://msdn.microsoft.com/en-us/library/ms228599.aspx (last example)
0
 
LVL 69

Expert Comment

by:Éric Moreau
ID: 40458416
I have an example at http://emoreau.com/Entries/Articles/2006/08/Strings-Strings-Strings.aspx showing how to get the content of a SecureString.
0
 
LVL 44

Author Comment

by:AndyAinscow
ID: 40459089
Thanks.  That works nicely.

>>Well since you appear to be going cowboy anyway
Just the Iron Horse versions:
http://www.ainscow.ch/bike/BikeMannhard.jpg


ps.  In my home country calling someone a cowboy when related to work is an insult.  A cowboy will just do a hack that usually will cost more to repair than the original job would have cost with a reputable firm in the first place.
0
 
LVL 75

Expert Comment

by:käµfm³d 👽
ID: 40459548
Point taken  : )
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Introduction                                                 Was the var keyword really only brought out to shorten your syntax? Or have the VB language guys got their way in C#? What type of variable is it? All will be revealed.   Also called…
Article by: Najam
Having new technologies does not mean they will completely replace old components.  Recently I had to create WCF that will be called by VB6 component.  Here I will describe what steps one should follow while doing so, please feel free to post any qu…
Learn how to create flexible layouts using relative units in CSS.  New relative units added in CSS3 include vw(viewports width), vh(viewports height), vmin(minimum of viewports height and width), and vmax (maximum of viewports height and width).
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…

861 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now