Posts

Showing posts from April, 2017

SecureString for managing passwords in memory

As the brush with 2-tier apps continues, the usual recommendations to manage the memory from leakage is to overwrite it quickly once its use is over. Although, it does not prevents the leakage completely, it reduces the attack surface by a considerable extent. Fortunately, for .Net application there's a method called SecureString. This class allows you to keep string data encrypted in memory. But a few things to keep in mind. Liked the below points from a discussion from stackoverflow post:
Do you know how many times I've seen such scenarios(answer is: many!):

1.A password appears in a log file accidentally.
2.A password is being shown at somewhere - once a GUI did show a command line of application that was being run, and the command line consisted of password.
3.Using memory profiler to profile software with your colleague. Colleague sees your password in memory. Sounds unreal? Not at all.
4.Some tools such as  RedGate software that could capture the "value" of lo…