Saliya's Blogs

Mostly technical stuff with some interesting moments of life

C# String Vs Secure String

No comments

Interesting articles on the subject at,

1.) http://blogs.msdn.com/b/shawnfa/archive/2004/05/27/143254.aspx

2.) http://blogs.msdn.com/b/fpintos/archive/2009/06/12/how-to-properly-convert-securestring-to-string.aspx

In summary, a string object is not the best place to keep sensitive information such as passwords, credit card numbers, etc. due to its nature of not being able to lock in one place of memory, immutability (results multiple copies if modified), and possible page swaps (sensitive data now in tmp files) (see 1). Use SecureString as a solution, but sometimes you may still want to get the unsecured string representation as some APIs still don’t support secure strings (see 2).

While at it, you may also like to read about reading a string securely from console,

3.) http://msdn.microsoft.com/en-us/library/system.security.securestring.aspx

4.) http://stackoverflow.com/questions/3404421/password-masking-console-application

No comments :

Post a Comment