ā Securily transporting password in .NET Framework 4.6.1
Hi. I've faced a checkmarx issue complaining that I did not erase a string containing password from the memory. The C# code fragment looks like this:
...
string password = GenerateTemporaryPassword();
string token = await UserManager.GeneratePasswordResetToken(user.Id);
await UserManager.ResetPasswordAsync(user.Id, token, temporaryPassword);
...
GenerateTemporaryPassword() is a method returning generated string based on GUID and special signs.
So the checkmarx complains when invoking the above method and assigning the result to simple string variable. My questions are:
1. Does it make sense to convert it to SecurePassoword (I know it should't be use in .NET Core and it's not the best, but I am asking anyway to be sure) considering the fact I must pass a string to ResetPasswordAsync method? Is the ResetPasswordAsync handling the plain string security well?
2. Are there any other ideas or soulutions you would recommend fot the above issue? Is there any fully secure way to handle this? Maybe accessing the assembler level?
8 Replies
Unknown Userā¢13mo ago
Message Not Public
Sign In & Join Server To View
@TeBeClone By my computer's memory dump you mean memory dump on the server where the application is deployed?
That's most probably hard to get, but right if someone's get it it's done.
I don't understand that statement wdym?
Is it a joke I don't get xD?
I haven't even found anything on how to clear a string from memory. It always says that it should be left to GC
Unknown Userā¢13mo ago
Message Not Public
Sign In & Join Server To View
I've contacted my mamager about it - found that there was already similar problem marked "not exploitable"
Thanks for your input
Btw borderline sarcasm? Never heard of it
Unknown Userā¢13mo ago
Message Not Public
Sign In & Join Server To View
Yeah, sarcasm I am of course aware of, but borderline no thx for explaining
Have a good day bro
š
And Thanks again
Hi,
I know its a bit late (seeing it's already solved). maybe you can use this info.
strings clearing and changing leaves the data in memory until it is really cleaned. So in theory an attacker can install a program which scans the memory.
MS has a sollution but I really do not know how good it is namely: SecureString
Unknown Userā¢13mo ago
Message Not Public
Sign In & Join Server To View