Passwords in memory

Apr 12, 2012 at 7:27 PM

Hello!

I wrote a simple application for forwarding local ports, it works great and was really easy!

But i have one concern, when investigating the memory of my application i found that my password was found no less then 13 times. I tried to remove it but setting _password (in PasswordConnectionInfo) to null after successful authentication but without luck.

Would it be possible to either encrypt the password stored in memory or after authentication, remove it completely from memory?

 

Also, my application clears the passwordbox used for entering the password. This is how i establish a connection:

void initSSHClient()
        {
            client = new SshClient(tbHost.Text, tbUsername.Text, pbPassword.Password);
            client.ConnectionInfo.AuthenticationBanner += new EventHandler<Renci.SshNet.Common.AuthenticationBannerEventArgs>(ConnectionInfo_AuthenticationBanner);
            client.Connect();
            if (client.IsConnected)
            {
                pbPassword.Clear();
            }
        }

Coordinator
Apr 13, 2012 at 12:42 PM

Hi,

 

I guess I can use SecureString class instead of string.

 

What do you use to see the program memory and find you password in there?

So I could test it.

 

Thanks,

Oleg

Apr 13, 2012 at 12:49 PM
Edited Apr 13, 2012 at 12:55 PM

In ProcessHacker you can either create a dump of the memory and examine it with a hexeditor or you can just press Properties on the process and select the tab memory then the "strings" button and search for your password.

In a hexeditor search for "ssh-connection" and you will see a few occurances of that and the password you used to establish the connection.

 

I would rather be given the option to save the password in the session or to just use the password to authenticate then erase it from memory.

 

 

EDIT: Added " then the "strings" button " in the first part of the post.

Coordinator
Apr 13, 2012 at 12:56 PM

ok,

I will take a look at it and see what I can come up with.

 

Thanks,

Oleg

Apr 13, 2012 at 12:59 PM

I just started using this awsome library, and with my limited knowledge i came down to "RequestMessagePassword.saveData()" which stores the password. Disabling this will cripple the login and i havent figured out when its ok to set it to null yet.

Apr 27, 2012 at 3:49 PM
This discussion has been copied to a work item. Click here to go to the work item and continue the discussion.