CODEWITHSUNDEEP
.netwindowssecuritymemory-management
Mubashar
Mubashar

Reputation: 12668

Common Practice regarding Passwords in Memory

I am writing a .net(C#) windows application to store user passwords in it, like keypass, lastpass, roboforms etc.

To process the user data i have to keep it in memory this data also contains Passwords of the user.

Now my Questions are:

  1. Can someone read the Memory Data using some tool or memory dump?
  2. If yes then How? Can someone share such tool? i tried with CurrProcess, HeapViewer,ProcessExplorer and ProcessView applications but can't find any private data in memory dump,
  3. Do I need to learn something else to ensure the protection of in memory passwords.

Thanks

Upvotes: 6

Views: 4881

Answers (5)

Kobi
Kobi

Reputation: 138067

You are correct in your concerns, strings in memory are not safe.

You're probably looking for the SecureString class.

Upvotes: 9

Andrey Taptunov
Andrey Taptunov

Reputation: 9495

My experience is limited in security but I hope that this will be helpfull

  1. Yes, it's possible
  2. You can use WinDbg + SOS to get almost anything you want from object's internal representation
  3. There is a special class called SecureString in BCL that should fit your needs.

Upvotes: 1

PaulG
PaulG

Reputation: 14041

If you're concerned about someone snooping the RAM for passwords, then you have more significant issues. If a malicious user has access to the RAM, then it is trivial to drop a keylogger onto the machine, or to bypass where the keys are used in software, or to intercept the keys once they are decrypted. etc etc

The general rule is, if someone has access to the machine, then its game over security wise.

Upvotes: 8

Eugene Mayevski 'Callback
Eugene Mayevski 'Callback

Reputation: 46070

Yes, there exist tools that capture all physical memory (and pagefile) for further investigation. They are called "forensic" and you can find some by adding this keyword to your searches. If you want to capture memory in your code (i.e. write such program yourself), this is possible using our RawDisk product.

As for protecting your passwords, Kobi mentioned SecureString class, which is supposed to securely store strings in memory. While this class is not a 100% protection ( the password is decrypted anyway when you use it ), but makes password capture much less likely.

Upvotes: 4

darioo
darioo

Reputation: 47193

I'd suggest exploring source code of Keepass (version 2.xx). It is written in .NET, and it deals with same issues you're concerned about.

Upvotes: 1

Related Questions