CODEWITHSUNDEEP
c#stringpasswords
thecodeexplorer
thecodeexplorer

Reputation: 373

How to pass passwords as parameters in a method

I have the method login() below that accepts two parameters, username and password. I plan to use this method in another class but I am not sure if there is any convention when passing passwords to a method. Should I use a different datatype for the password? And am I using it correctly when I try to call the method?

class Libary {

    public string login(string username, string password) {
              externalObject.WriteLine("login {0} {1}", username, password);
              string response = externalObject.Execute();
              return response;
    }

}

class HomePage {

     public string callLoginMethod(){
               string username = "dummyUsername";
               string password = "dummyPassword";

               Library library = new Library();
               string output = library.login(username, password);
     }

}

Upvotes: 0

Views: 2553

Answers (2)

Rao khurram adeel
Rao khurram adeel

Reputation: 626

Agree with Marc Gravell you should use SecureString. You can use the code below

class Libary {

    public string login(System.Security.SecureString username, System.Security.SecureString password)
    {
        externalObject.WriteLine("login {0} {1}", username, password);
        string response = externalObject.Execute();
        return response;
    }

}

class SecureLibrary {

    public System.Security.SecureString GetSecureString(string text)
    {
        System.Security.SecureString strSecure = new System.Security.SecureString();
        foreach (char c in text)
        {
            strSecure.AppendChar(c);
        }
        return strSecure;
    }
}

class HomePage
{

    public string callLoginMethod()
    {
        string username = "dummyUsername";
        string password = "dummyPassword";

        Library library = new Library();
        SecureLibrary seclib = new SecureLibrary();
        string output = library.login(seclib.GetSecureString(username), seclib.GetSecureString(password));
    }

}

Upvotes: 0

Marc Gravell
Marc Gravell

Reputation: 1062745

If you need to use passwords, that is usually fine. There are some scenarios where it might be useful to keep them as a char[] so they can be overwritten (zero'd) easily afterwards, or as SecureString - but frankly both of these only help in very specific scenarios where the machine running the code is already completely compromised, and all they do is make it more inconvenient for an attacker. So in most real world cases: string is fine.

Of course, if you can avoid having to know plain text passwords at all (certs, windows auth, app-keys, etc) - then that might be a way of avoiding the problem.

Upvotes: 2

Related Questions