The msdn documentation on PasswordBox.Password says:
When you get the Password property value, you expose the password as plain text in memory. To avoid this potential security risk, use the SecurePassword property to get the password as a SecureString.
So I send SecurePassword to my view model on PasswordChanged event, expecting everything to be secure, but if I inspect my application with Snoop, in PasswordBox's Password property I see the password I entered in plain text. Does that not kill the whole purpose of using SecurePassword? Is there anything else I should do here to protect the passwords?
This is my humble opinion.
Snoop injects its code in running application. So, it's basically a hacking tool. A very easy-to-use hacking tool, which works only with your GUI.
This is why simply changing visibility of any item to hide some data from user is a poor secutity desicion. Everything about restrictions, access and security shouldn't be handled at UI layer. There are ways on How to Snoop proof your wpf application? but main point of answers there is that you have to design your application in the way, which doesn't allow snoop to violate anything. Validate everything on the server, for example.
Back to your question:
There are two scenarios. First one is: user creates a password. I believe this is not a concern, if a user or user's malware will see the password at this moment. Then you receive and store secured string. And clear user's password.
Second scenario: you display a stored password to user. The trick is - you don't display it. You know a length of a password, so you can display just disabled textbox with ****. And if a user wants to change a password - you give him actual passwordboxes, which he has to fill with old password and new one and we are back to scenario #1.
The silver lining is:
When a user inputs a password it's not a big deal, that it is lying in clear text somewhere in a memory, since a user knows what he've typed and malware can track keys pressed.
After you've stored the password you never ever give it back to user
Update: This is a source code for Password property of a Password box
public string Password
{
[SecurityCritical]
get
{
string password;
using (SecureString securePassword = this.SecurePassword)
{
IntPtr ptr = System.Runtime.InteropServices.Marshal.SecureStringToBSTR(securePassword);
try
{
unsafe
{
password = new string((char*)ptr);
}
}
finally
{
System.Runtime.InteropServices.Marshal.ZeroFreeBSTR(ptr);
}
}
return password;
}
So, I guess what MSDN is saying, is that whenever you access Password property, by calling it in code (or viewing it in VS while debugging, or viewing it it Snoop) you call it's get method, which decrypts SecuredString to plain text, what exposes it to memory. If you don't call Password property and don't call it by inspecting in software tools, then password doesn't show up in memory in plain text.
Related
I want to create a training path for new users accessing my site. This training path must display info bubbles showing what you can do on every page, but only the first time you access it.
So, for example, if a user enters a page where there's an edit button an info box should appear next to the edit button telling the user that he can edit that page.
I will create the script myself, I just want to know what's the best method to check if the user has already seen that box or not. I was thinking about storing in database a boolean value for each info box which will be set to true if the user has seen the box. To save some queries from the DB I think I can also store the same values in localStorage or in Cookies.
What is the best practice for creating user training paths for a website?
The way I suggest is to store user id (ip or username ? ) and a bit value for each bubble like you say.
PS: for your script you can use this:
http://www.maxvergelli.com/jquery-bubble-popup/documentation/
Jérôme
I'm developing a web with CakePHP 1.3.7. Everything is going fine and I love it, but I just came accross a problem (probably because of my lack of knowledge) that I can't figure out how to fix.
This is my problem:
In the website, there's the typical 'manage my account' area, where users can only access when they're logged in. In this area, there's a link that calls to an action in the same 'users' controller called 'edit_items'. So when a user goes to edit_items, the action receives as a parameter the user's id (something like domain.com/users/edit_items/45, where 45 is the user's id), and shows the information in a form. The problem comes if I go directly to the address bar of the browser and change that 45 for any other user's Id, then the information of that other user is also shown, even if that user is not logged in. This is obviously a big security issue.
I've been trying to avoid passing the user's id as a parameter and getting it from the Auth component (which I'm using) with $this->Auth->User('id'). For whatever reason, I can read the logged user's info into the form fine, but when I try to save the changes on the form, I get an error as if the save action had failed, and I have no clue why.
Is there any other way to avoid my problem? Or to figure out why the save is returning an error?
Thanks!
EDIT
SO the problem comes from the validation, here's the deal: when the user fills out the form to create a new item, there are certain fields, some of them with validation rules applied. However, when the user goes back to edit the item, not all the fields are editable, only some. Is it possible that, since some fields that required validation when creating the item are not available when editing, that causes the error? How can avoid that? Can I change the validation rules only for the edit action?
Example of what's happening: when creating an item,one of the fields is item_name, which has some validation applied to it. When editing the item, its name can not be changed, so it's not shown in the edit form. I believe this what may be causing the error, maybe because the item_name is missing?
You are turned on the right direction - passing user_id on the url is a bad idea when the users need to edit their own details.
You can use following: when saving your form before the actual save you can pass the user_id to the posted data. Something like this:
if (!empty($this->data)) {
$this->data['User']['id'] = $this->Auth->user('id');
... //Some extra stuff
if ($this->User->save($this->data)) {
... //success
} else {
... //error
}
}
This way the logged user will override it's own record always. Check if you have some validation rules in your model which give you this error.
On this winform application I am writing, I want to secure one menu item from most users. It runs a month-end and cannot be easily backed out if accidentally run. The menu option opens up a window to prompt the user for some information before processing. I don't care where exactly I do the check, but I want to be sure only certain users can run this function.
A Google search (on my question title above) didn't turn up anything obvious. Can anyone point me in a direction to pick up who is signed into Windows and how to check if they are authorized?
This page has some code for getting user details and checking them.
This code:
public string GetloggedinUserName()
{
System.Security.Principal.WindowsIdentity currentUser =
System.Security.Principal.WindowsIdentity.GetCurrent();
return currentUser.Name;
}
returns the current user name. You could use this to check against your list of authorised users.
More details on the WindowsIdentityclass can be found here.
It has a Groups property which you could use to check for membership of a group rather than having to check individual users.
What is a good way to integrate multiple field validation with IDataErrorInfo?
Let say that I have a dialog with 3 textboxes for ftp information
URL
Username
Password
I have put the Required attribute on the fields (assume a normal TextBox for the password).
I validate the ftp connection when the user press "OK". At the moment I show a dialog but it would be nice if I could trigger the Validation error style on ftp connection errors.
I have looked at Validation.MarkInvalid but don't understand how to use it.
var be = GetBindingExpression(xamlURLField);
Validation.MarkInvalid(be, new ValidationError(-- WhatValidationRuleToPutHere --, be, "Can't connect to ftp", null)
You are mixing concerns a little here. Validation is for validating user input on a basic level. Doing some post-verification should be handled differently and is generally more complex than you'd want to encompass in the area of "Validation". When something like this is hard, there is usually a reason and this is the reason.
I would treat trying to connect as a separate step in your user interaction and display a message manually.
I want to add a "Remember Me" check box to the login form of my WPF App. What's the best way to do this?
Currently the app logs in via a websevice call that returns an authenticated token that it uses for subsequent calls. Should I simply two-way encrypt and store this token somewhere in the files system?
You could also store it in Isolated Storage or create a User setting in your application's Settings.
Edit: Oren's suggestion of using DPAPI to protect information is well and good, but it doesn't store anything:
An important point to remember is that DPAPI merely applies cryptographic protection to the data. It does not store any of the protected data; therefore applications calling DPAPI must implement their own storage of the protected data.
Use the DPAPI. See also How to store passwords in Winforms application?.
I googled another solution:
Right click on your Project -> Properties -> Setting.
Add your variable which you need to store on client machine.
For example:
Name Type Scope Value
UserName String User
Password String User
Then, for example, you want to save preference on login button click:
If(CheckboxRemember.checked)
{
YourProjectNamespace.Properties.Settings.Default.UserName = TextBoxUserName.Text;
YourProjectNamespace.Properties.Settings.Default.Password = TextPassword.Text;
YourProjectNamespace.Properties.Settings.Default.Save();
}
On the same way, access these value on window load or application startup:
TextBoxUserName.Text = YourProjectNamespace.Properties.Settings.Default.UserName;
TextPassword.Text = YourProjectNamespace.Properties.Settings.Default.Password;