![]() add events for any special characters here SaveAndCloseButton_Click(null, null) //handle enter. Password_PasteClicked(null, null) //handle paste event _SecurePassword.RemoveAt(caller.SelectionStart) Ĭaller.Text = (caller.SelectionStart, caller.SelectionLength) Ĭaller.Text = caller.Text + '*' //generate a * so the user knows how many characters they've entered If (ch >= 32 & ch 0) //Handles inserting when text is selected (removing selected characters)įor (int i = caller.SelectionStart i < caller.SelectionStart + caller.SelectionLength i++) Private void Password_KeyPress(object sender, KeyPressEventArgs e) use this to do whatever you need to do when you handle an event (if at all)įollowed by KeyPress private const char ENTER_KEY = (char)13 Private void KeyDownDidSomething(TextBox caller, KeyEventArgs e, int position) KeyDownDidSomething(caller, e, position) Į.Handled = true //tells the text box that the event has been handled, text box will not write character to text box. _SecurePassword.RemoveAt(caller.SelectionStart - 1) Ĭaller.Text = (caller.SelectionStart - 1, 1) If (caller.SelectionLength > 0) //more than 1 character selectedįor (int i = caller.SelectionStart i 0) //more than 1 character selectedįor (int i = caller.SelectionStart i 0) // nothing selected - but cursor is not at the beginning of textbox _PasswordBoxControlDown = e.Control // toggle if control is also down KeyDown is fired first: private void Password_KeyDown(object sender, KeyEventArgs e) This way the password is never in memory. Instead of allowing the event to populate the text box, I generate a '*' character and insert the character directly into a SecureString. ![]() I achieved this by using WindowsForms and trapping the KeyPress events for a regular text box (instead of a password box). I know this was asked ages ago, but I thoght I'd give my solution in case someone stumbles upon it as I did. ![]() This would also negate the necessity for the SecureString in your case. It is possible though the amount of effort required to do so would outweigh the threat (especially considering it doesn't guard against keyloggers). Explicitly tell the event to ignore the key Add an explicit password character to the textbox (or not depending on your requirements)Ģd. Add it to the encrypted key collectionĢc. Encrypt each key value using an asymmetric encryptionĢb. Hooking one of the key press events on the textbox whose event handler would:Ģa. Keeping track of encrypted keys pressed in some sort of collectionĢ. If you had to ask how then you probably shouldn't be doing it in the first place, and even still those of us that have been naive enough to attempt have not done so without pitfalls.Īfter further thought it might be possible to do what you're after (save the case where there is a keylogger involved) by: 1. Even in this case you're not guaranteed data safety because there is always the time it takes from when the password is entered into the textbox to when the form is submitted that it will appear in plain text in memory. If you can guarantee that the client's environment is clean of keyloggers and window sniffers, but for some reason you're still concerned with this then I'd suggest writing some native (or unsafe) C++ that might be able to zero out the memory using techniques similar to the programs you're trying to avoid. Even still, there are always going to be (easier) ways to capture what was typed into the textbox outside of reading the memory so wiping the textboxes memory is pointless unless you can somehow prove that the client machine is clean and trusted (in which case your question is useless). If you want security then use a language (or controls) that can facilitate what you're after natively (which translates into more work for you). You're in a losing battle with what you are trying to accomplish. I would appreciate if you can help me with this problem. When I run the debug the only place I could see the password plain text is when I pass it to SecureString securePwd = ConvertToSecureString(txtPassword.Text) and before I clear the text box txtPassword.Clear() I know this is the bad way to zero out the memory. If the username or/and password is incorrect the user need to go back to fill it in again.ĬheckAuthentication(" userName, securePwd, domainName) SecureString securePwd = ConvertToSecureString(txtPassword.Text) This is part of my code that handle the password. ![]() I'm having difficulty finding a way to zero out the memory before the program ends. I was told that I still need to "zero out the memory after I read the password". Immediately I read the password I set it to secure string then I clear out the text box. I have a program that will detect the username and domain for the user and the user have to enter their password in order for them to enter into the main program.
0 Comments
Leave a Reply. |