[英]How secure is the WPF PasswordBox, really?
I've already asked a couple of questions around the PasswordBox
recently, but at the heart of my issue, I need an extremely secure way of getting very sensitive information inputted into my .Net application.我最近已经问了几个关于PasswordBox
的问题,但在我的问题的核心,我需要一种非常安全的方式来将非常敏感的信息输入到我的 .Net 应用程序中。
Out of the box, the WPF PasswordBox
is the go to control for getting passwords, or other sensitive information.开箱即用,WPF PasswordBox
是用于获取密码或其他敏感信息的控件。 For the sake of security, it provides a SecureString
object through the SecurePassword
property which is, in my case, secure enough for my needs.为了安全起见,它通过SecurePassword
属性提供了一个SecureString
对象,在我的情况下,它足以满足我的需要。 However, there is one major flaw that I see with this control-- it has a Password
property which is the user-entered content in an insecure .Net string.但是,我发现这个控件有一个主要缺陷——它有一个Password
属性,它是用户在不安全的 .Net 字符串中输入的内容。
I would like to assume that if I never access the Password
property within my application, an insecure version of my sensitive information will never be generated and have to be garbage collected.我想假设如果我从不访问我的应用程序中的Password
属性,我的敏感信息的不安全版本将永远不会生成并且必须被垃圾收集。 That fine.那很好。 However, since the point of the secured form of the string is to keep the value secure from a snooping process (I assume) that can read the .Net memory, could the same snooping malicious codes simply look for a PasswordBox
that is hanging around in memory and find some way to access the Password
field, making the use of the SecureString
value essentially useless?然而,由于该字符串的安全形式的一点是要保持数值从监听过程安全(我认为),可以阅读.NET内存,可以在相同的侦听恶意代码只是寻找一个PasswordBox
被挂在内存并找到某种方法来访问Password
字段,使SecureString
值的使用基本上无用?
I will admit, I have no clue how these exploits are executed.我承认,我不知道这些漏洞是如何执行的。 However, if the problem is that some application might be sniffing your variables in the .Net memory manager/garbage collector, it would seem plausible to me that all they'd have to do is access the PasswordBox
control object, rather than a string object in memory and simply access the Password
property.但是,如果问题是某些应用程序可能在 .Net 内存管理器/垃圾收集器中嗅探您的变量,那么在我看来他们所要做的就是访问PasswordBox
控制对象而不是字符串对象似乎是合理的在内存中,只需访问Password
属性。 What might I be missing in this puzzle?在这个谜题中我可能遗漏了什么? How is the PasswordBox
even secure if it contains a Password
property in clear text?如何在PasswordBox
甚至安全,如果它包含一个Password
以明文形式的财产?
PasswordBox.Password
property creates .NET string from SecurePassword
property, it does not store it as string internally. PasswordBox.Password
属性从SecurePassword
属性创建 .NET 字符串,它不会在内部将其存储为字符串。 The whole point of using SecureString
is to reduce amount of time sensetive data is present in memory, and reduce number of copies of that sensetive data.使用SecureString
的全部目的是减少内存中存在感性数据的时间量,并减少该感性数据的副本数量。 You can read more about SecureString
in documentation .您可以在文档中阅读有关SecureString
更多信息。
SecureString
is encrypted (if possible, and usually it is), so if someone can just read raw memory (such as someone stealing your memory dump) - he will not be able to read your password from it. SecureString
是加密的(如果可能,通常是这样),因此如果有人可以读取原始内存(例如有人窃取您的内存转储) - 他将无法从中读取您的密码。 If your application is so compromised that attacker can inject his own dll into your process and run arbitrary code there - then you have bigger problems anyway (and still there is high chance that password will not be present in memory already).如果您的应用程序受到如此严重的威胁,攻击者可以将他自己的 dll 注入您的进程并在那里运行任意代码 - 那么无论如何您都会遇到更大的问题(并且密码仍然很可能已经不存在于内存中)。
That said, you can still follow some reasonable guidelines when using PasswordBox
and SecureString
s in general.也就是说,在使用PasswordBox
和SecureString
时,您仍然可以遵循一些合理的准则。
Always dispose result of PasswordBox.SecurePassword
if you ever need to access it:如果您需要访问它,请始终处理PasswordBox.SecurePassword
结果:
using (var pwd = myBox.SecurePassword) { // do stuff }
This might look strange (disposing something returned by property), but it should be done, because this property returns a copy of SecureString
and should have been a method instead, but for some reason is property.这可能看起来很奇怪(处理由属性返回的某些内容),但应该这样做,因为此属性返回SecureString
的副本并且应该是一个方法,但由于某种原因是属性。
Access Password
property as rare as possible, preferrably only once when you really need it.尽可能少地访问Password
属性,最好只在您真正需要它时使用一次。 You don't want copies of password to stay in memory more and longer than needed.您不希望密码副本在内存中停留的时间超过所需时间。
Always call yourBox.Clear()
when you are done.完成后始终调用yourBox.Clear()
。 This will set password to empty string and clear interal SecureString
memory.这会将密码设置为空字符串并清除内部SecureString
内存。
You don't have to take guesses, you can just look it up .您不必采取猜测,你可以看看它。
The passwordbox has no field Password
.密码框没有字段Password
。 It has a field PasswordTextContainer that keeps the password.它有一个用于保存密码的字段PasswordTextContainer 。
This means the documentation is correct that says这意味着文档是正确的
Remarks评论
When you get the Password property value, you expose the password as plain text in memory.当您获得 Password 属性值时,您将密码以纯文本形式显示在内存中。 To avoid this potential security risk, use the SecurePassword property to get the password as a SecureString.为避免这种潜在的安全风险,请使用 SecurePassword 属性以 SecureString 形式获取密码。
If you don't read it as plaintext and keep it as plaintext in your app, it won't be plaintext.如果您不将其作为明文阅读并将其作为明文保存在您的应用程序中,则它不会是明文。
But again, don't trust random people on the internet (including me!), just look at it yourself .但同样,不要相信互联网上的随机人(包括我!), 自己看看吧。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.