Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
user has an ASPX page.
it has textox input ( for password).
the user fill his password.
the page is submitted to the IIS.
it first goes to the iis.
by this stage the password is in memory at plain text.
now Asp.net put its password in Secure String.
after doing some calculations , the page is being sent to the client.
from the IIS POV :
he still actually see the password as plain text…isnt it ?
As per your story, it makes little sense to store the password in
SecureString. It was already present in the memory as a normal string once so storing it back inSecureStringis no that useful. Plus, when the form goes back, everything will still be sent back as plain text.In these situations, it is best to secure the server-client communication (i.e. with SSL), rather than trying to secure the system from attackers who would gain access to the computer, analyze the memory, and extract passwords(!).