Clever Geek Handbook

Password input protection in C # dotnet core console application

For a long time here I had a question that I can't see. I am writing a C # console application in dotnet core and am trying to allow the user to enter a password and I am concerned about security, especially memory dumping.

The following is a password masking console application , I understand that a password stored as a string variable can be opened with a memory dump ( link ).

SecureString can usually be found here, but doesn't seem to be supported in dotnet core .

I tried to change the code to use a char array because my limited understanding is that it is not immutable, so it won't be stored in one piece of memory. Honestly, although security is not my forte, so my question is, is this code below correctly protecting me from exposing my password via a memory dump?

        Console.WriteLine("Enter pass");
        char[] passwordArray = new char[256];
        int whileIndex = 0;

        while (true)
        {
            ConsoleKeyInfo key = Console.ReadKey(true);
            if (key.Key == ConsoleKey.Enter)
            {
                break;
            }
            else if (key.Key == ConsoleKey.Backspace)
            {
               if (whileIndex != 0) //so it doesn't explode if someone holds backspace
                {
                    whileIndex--;
                }
            }
            else
            {
                passwordArray[whileIndex] = key.KeyChar;
                whileIndex++;
            }
        }
        //Truncate array to length of password
        var endIndex = Array.IndexOf(passwordArray,'\0');
        char[] shortenedPasswordArray = new char[endIndex];
        Array.Copy(passwordArray, shortenedPasswordArray, endIndex);

        //Authentication code here

        //Wipe the characters when done
        foreach(var passChar in passwordArray)
        {
            passwordArray[passChar] = '\0';
        }

        foreach (var passChar in shortenedPasswordArray)
        {
            shortenedPasswordArray[passChar] = '\0';
        }
+3


source to share


2 answers


Some comments: 1) First of all, remember that security is not allowed in one application. For someone with full access to the machine, there is almost nothing you can do to truly protect the password.

(Fun exercise: how would you authenticate a password without having to store the password in memory?)



2) SecureString gives you more control over the lifetime of a password in memory by allowing you to determine when it will go away. A normal line can last for a very long time in memory, even before the program exits, since it doesn't disappear until garbage collection. SecureString allows you to flush it, but it still persists in memory.

3) Using your own char array is a good idea, but I could use a List because it allows variable length, or maybe even a LinkedList because it spreads characters in memory. Shrug. Turn to # 1 and consider what attacks you are protecting against a password.

+2


source


I would save user input after it has been processed by a secure password hashing algorithm. Get the same algorithm available when the user needs to authenticate again and use the result to validate the user.



0


source






More articles:


All Articles