Using SecureString
57,243
Solution 1
You could use Linq:
"fizzbuzz".ToCharArray().ToList().ForEach(p => secureString.AppendChar(p));
Solution 2
Just use NetworkCredential. It has the conversion logic built-in.
SecureString ss = new NetworkCredential("", "fizzbuzz").SecurePassword;
As others have noted, all of these techniques strip the security benefits of SecureString, but in certain situations (such as unit tests) this may be acceptable.
Update:
As noted in the comments, NetworkCredential can also be used to convert a SecureString back to a string.
string s = new NetworkCredential("", ss).Password;
Solution 3
Apart from using unsafe code and a char*, there isn't a (much) better way.
The point here is not to copy SecureString contents to/from normal strings. The constant "fizzbuzz" constant is the security leak here.
Solution 4
Slight improvement on Sascha's answer replacing the lambda with a method group
"fizzbuzz".ToCharArray().ToList().ForEach(ss.AppendChar);
Solution 5
var s = "fizzbuzz".Aggregate(new SecureString(), (ss, c) => { ss.AppendChar(c); return ss; });
Author by
Todd Smith
Updated on July 09, 2022Comments
-
Todd Smith almost 2 years
Can this be simplified to a one liner? Feel free to completely rewrite it as long as secureString gets initialized properly.
SecureString secureString = new SecureString (); foreach (char c in "fizzbuzz".ToCharArray()) { secureString.AppendChar (c); } -
and_the_rand over 14 yearsBeat me to it -- +1. Plus the additional changes you need to make to allow for unsafe code negates any "savings" on lines of code.
-
Todd Smith over 14 yearsI guess I can throw this into an extension method to get what I'm after: processInfo.Password = new SecureSring ().FromString ("fizzbuzz")
-
Todd Smith over 14 yearsDon't most passwords originate in most software as strings and then need to be converted to a SecureString? Not sure what you mean by "not to copy SecureString contents from normal string". In normal circumstances that would be string password. "fizzbuzz" is just a homage.
-
Henk Holterman over 14 yearsYes, and that greatly reduces the usability of SecureString. -
Todd Smith over 14 yearsSecureString is a property of ProcessStartInfo and is needed for Process.Start(). Blame MS not the messenger :)
-
Doug almost 14 yearsIf you're collecting a SecureString from keystrokes, you don't actually have an original string. This, I believe, was the original intent of SecureString.
-
Steve Guidi over 12 yearsYou can avoid the extra .ToList() operation with the following:Array.ForEach("fizzbuzz".ToCharArray(), secureString.AppendChar); -
rudolf_franek over 10 yearsand it is not available prior .Net 4.0
-
DonBoitnott about 10 yearsNote that the use offixedrequires anunsafeblock, which in turn requires the compiler switch/unsafe. -
CodeFox about 8 years@JohannesOvermann, what do you mean with both directions? (As far as I can see,
NetworkCredentialconsumes either a plain text password or aSecureStringpassword, but only exposes a plain text password in the former case.) -
Johannes Overmann about 8 years@CodeFox: I meant that it can be used to translate String -> SecureString and SecureString -> String. I think it always consumes both and always exposes both. But from your question I take it that the SecureString -> String does not work?
-
CodeFox about 8 years@JohannesOvermann, yes - that was my assumption after reading the MSDN documentation of the NetworkCredential class. I have tried it out and I can now confirm your original comment. Thanks again!
-
Johannes Overmann about 8 years@CodeFox: Thanks for trying it out and for confirming that it actually works!
-
Greg almost 8 yearsYou don't have to declareToCharArray, Linq will automatically enumerate as achararray. -
nagates about 7 yearsthis is still a 2 liner though? You still need to have declaredsecureString. -
jpaugh about 7 yearsAt least in later versions of .NET (say, 4.5), this is possible
"fizzbuzz".ForEach(secureString.AppendChar) -
Timothy Schoonover over 6 yearsThis is very elegant.
-
crush over 6 yearsI've yet to find a Q&A that talks about how to capture string that you want to make secure into the process to begin with. For example, say I fetch a password from user input from a password form control on a windows form. How could I get that input securely? Wouldn't it already be in a
stringthe moment I get it from the control, negating my attempts at securing it? Can I force garbage collection on thestringafter retrieving it from the control and placing it into mySecureString? -
Henk Holterman over 6 yearsYes, (G)UI support is all but absent. The WPF passwordbox does have a securestring property but I don't know how good (secure) that is implemented.
-
Maxx about 5 yearsWhy didn't MS add this to the framework? The class is completely useless if you can't access the value. Seems like they (MS) either didn't really want people to use SecureString, or are even more inept than I previously have accused.
