McBacon
✅ Securily transporting password in .NET Framework 4.6.1
Hi. I've faced a checkmarx issue complaining that I did not erase a string containing password from the memory. The C# code fragment looks like this:
...
string password = GenerateTemporaryPassword();
string token = await UserManager.GeneratePasswordResetToken(user.Id);
await UserManager.ResetPasswordAsync(user.Id, token, temporaryPassword);
...
GenerateTemporaryPassword() is a method returning generated string based on GUID and special signs.
So the checkmarx complains when invoking the above method and assigning the result to simple string variable. My questions are:
1. Does it make sense to convert it to SecurePassoword (I know it should't be use in .NET Core and it's not the best, but I am asking anyway to be sure) considering the fact I must pass a string to ResetPasswordAsync method? Is the ResetPasswordAsync handling the plain string security well?
2. Are there any other ideas or soulutions you would recommend fot the above issue? Is there any fully secure way to handle this? Maybe accessing the assembler level?
35 replies