This project is read-only.

Passwords in memory

Apr 12, 2012 at 8:27 PM


I wrote a simple application for forwarding local ports, it works great and was really easy!

But i have one concern, when investigating the memory of my application i found that my password was found no less then 13 times. I tried to remove it but setting _password (in PasswordConnectionInfo) to null after successful authentication but without luck.

Would it be possible to either encrypt the password stored in memory or after authentication, remove it completely from memory?


Also, my application clears the passwordbox used for entering the password. This is how i establish a connection:

void initSSHClient()
            client = new SshClient(tbHost.Text, tbUsername.Text, pbPassword.Password);
            client.ConnectionInfo.AuthenticationBanner += new EventHandler<Renci.SshNet.Common.AuthenticationBannerEventArgs>(ConnectionInfo_AuthenticationBanner);
            if (client.IsConnected)

Apr 13, 2012 at 1:42 PM



I guess I can use SecureString class instead of string.


What do you use to see the program memory and find you password in there?

So I could test it.




Apr 13, 2012 at 1:49 PM
Edited Apr 13, 2012 at 1:55 PM

In ProcessHacker you can either create a dump of the memory and examine it with a hexeditor or you can just press Properties on the process and select the tab memory then the "strings" button and search for your password.

In a hexeditor search for "ssh-connection" and you will see a few occurances of that and the password you used to establish the connection.


I would rather be given the option to save the password in the session or to just use the password to authenticate then erase it from memory.



EDIT: Added " then the "strings" button " in the first part of the post.

Apr 13, 2012 at 1:56 PM


I will take a look at it and see what I can come up with.




Apr 13, 2012 at 1:59 PM

I just started using this awsome library, and with my limited knowledge i came down to "RequestMessagePassword.saveData()" which stores the password. Disabling this will cripple the login and i havent figured out when its ok to set it to null yet.

Apr 27, 2012 at 4:49 PM
This discussion has been copied to a work item. Click here to go to the work item and continue the discussion.