2

When writing a WPF application, the PasswordBox stores the entered password as a SecureString. This totally makes sense. However, I want to send the password via a HTTP API, and the HttpClient PostAsync seems to accept strings for form-encoded data.

I am aware that other people have asked related questions, most notably Is SecureString ever practical in a C# application?, but I have not found a satisfactory method to send this SecureString to the Http endpoint, without first converting it to a String. The conversion totally defeats the object of SecureString in the first place (because it puts the plaintext right back into the managed memory).

Is there a canonically correct (and preferably straightforward) way to do this?

For complete disclosure - I have no control over the HTTP API.

Improve this question

1 Answer 1

Reset to default
1

I think that, although not perfect, the best solution for you is to use the DecryptSecureString method, posted by rdev5 on this answer (after all, the password is being transfered in plaintext over the network anyway)

rdev5's method decrypts the SecureString into a string, do what you tell it to do with the password and then wipe it from memory. This reduces the window where the password is in the memory, and thus the time that it could be peeked from there.

Strings.DecryptSecureString(secureString, (password) =>
{
    // Do your API call here
});

P.S.: As pointed out in the original post, just be sure not to save the content of password elsewhere.

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

It might not be globally ideal, but it does solve the problem of the lack of a DisposableString type. So thankyou. I would like to note that the password is not technically sent in plaintext since the HTTP API is a secure connection.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.