stackoom
  简体   繁体   中英

Can password be stored in plain text as long as its in memory, and not persisted in database, files etc.?

 原文  2014-02-25 14:54:06       c#/ .net/ security

Question

Please see the below code snippets (one has the sensitive data like password in plain text and the other encrypts the plain text). I understand if one persists these in files or database etc., need to take preventive measures like setting ACLs etc. so that attacker cannot get to them easily.

But, what if the password doesn't need to be persisted:

  1. Is approach 2 really better than approach 1 as the password is in memory only? or, is it unnecessary? or, is there possibility that some one can read through the memory to get to password - always recommended to be in encrypted either in memory or while persisted?

  2. What if the object is serialzed and passed across app domains? (please note that I understand if the password is sent via HTTP (network), it needs to be encrypted, but if its just across app domains can I sent plain passwords?

Regards,

Plain text password code snippet 

  [Serializable]
    class PlainTextPassword
    {
        //Password stored in plain text
        private string _plainTextPassword = null;
        public PlainTextPassword(string password)
        {
            this._plainTextPassword = password;
        }        
        public string Password
        {
            get
            {
                return this._plainTextPassword;
            }
        }
    }

Encrypted password code snippet 

 [Serializable]
    class EncryptedPassword
    {
        //Encrypted password
        private string _encryptedPassword = null;
        public EncryptedPassword(string password)
        {
            byte[] encryptedPassword = ProtectedData.Protect(System.Text.Encoding.Unicode.GetBytes(password), null, DataProtectionScope.CurrentUser);
            this._encryptedPassword = System.Text.Encoding.Unicode.GetString(encryptedPassword);
        }
        public string Password
        {
            get
            {
                return this._encryptedPassword;
            }
        }        
    }

1 answers

solution1
 3 ACCPTED  2014-02-25 15:03:56

Approach 2) isn't any more secure than 1) in terms of memory snapshot. You have no control over when the original password is released by GC (as you have little control over GC) - so if you're shooting for security against memory snapshots take a look at 

SecureString

Reference: http://msdn.microsoft.com/en-us/library/system.security.securestring(v=vs.110).aspx

As for tools that can take memory snapshot, take a look on some profiler (like Dynatrace).

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Best way to store password (no database or plain text)? The password in the database still stored as a text Excluding text files etc. from a backup application C# Efficient comparison of long text strings stored into a Database What can you do the System.IO namespace and its classes (fileinfo, directory etc.)? (simple terms) How to add/insert files such as pdf, xls etc. to mysql database using c# form application Storing text in SQL with formatting (breaklines etc.) NetworkCredentials exposes password in plain text Automatically accessing Truecrypt/Keepass etc. using Windows 7 password How does .NET create and execute its Windows, buttons, etc.?
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM