securestring

I've always felt like SecureString was a little odd, but assumed most of my issues with it were due to security problems I don't understand. Today I decided to sit down and teach myself about it, but I've hit what seems like a fatal snag. The scenario I envision is "user enters password into text box, that password is hashed and compared to a stored hash". At first I was worried that the text box contained the string, but then I realized you could roll a custom text box that uses SecureString as its store. Cool. It's the "that password is hashed and compared..." part that is giving me trouble.

How would I get a byte[] equivalent of a SecureString (which I get from a PasswordBox )? My objective is to write these bytes using a CryptoStream to a file, and the Write method of that class takes a byte[] input, so I want to convert the SecureString to the byte[] so I can use in with a CryptoStream . EDIT: I don't want to use string as it defeats the point of having a SecureString I modified from the original answer to handle unicode IntPtr unmanagedBytes = Marshal.SecureStringToGlobalAllocUnicode(password); byte[] bValue = null; try { byte* byteArray = (byte*)unmanagedBytes.GetPointer(); /

How to convert String to SecureString ? You don't. The whole reason for using the SecureString object is to avoid creating a string object (which is loaded into memory and kept there in plaintext until garbage collection). However, you can add characters to a SecureString by appending them. var s = new SecureString(); s.AppendChar('d'); s.AppendChar('u'); s.AppendChar('m'); s.AppendChar('b'); s.AppendChar('p'); s.AppendChar('a'); s.AppendChar('s'); s.AppendChar('s'); s.AppendChar('w'); s.AppendChar('d'); There is also another way to convert between SecureString and String . 1. String to

According to MSDN SecureString contents is encrypted for additional safety so that if the program is swapped to disk the string contents can't be sniffed. How is such encryption possible I wonder? The algorithm would be fixed and therefore either well-known or deductible (say one of seven widely used in industry algorithms) and there must be a key somewhere in the program. So the attacker could fetch the encrypted string, fetch the key and decrypt the data. How can such encryption be useful? NetSquirrel I'm quoting from an article about the DPAPI which is used to derive the key. This should

If I understand correctly, this is for keeping plain text out of memory, so that the app is secure against esoteric attacks on memory, the garbage heap, or memory paged to disk. The SecureString is fed unmanaged bytes and consumed one unmanaged byte at at time--then the string is erased from memory. (Correct me if I way off!) In ASP.NET, the secret is collected in a webform, which post back in HTTPS. But then the Request object turns all the request values from the form into name value pairs and puts them in a collection, e.g. Request["TxtPassword"]-- so even before I can get the string, it's

I'm working in PowerShell and I have code that successfully converts a user entered password into plain text: $SecurePassword = Read-Host -AsSecureString "Enter password" | convertfrom-securestring | out-file C:\Users\tmarsh\Documents\securePassword.txt I've been tried several ways to convert it back, but none of them seem to work properly. Most recently, I've tried with the following: $PlainPassword = Get-Content C:\Users\tmarsh\Documents\securePassword.txt #convert the SecureString object to plain text using PtrToString and SecureStringToBSTR $BSTR = [System.Runtime.InteropServices.Marshal]: