用于存储在内存中并提供密码的SecureString?或者是其他东西? [英] SecureString for storing in memory and presenting passwords? Or something else?
问题描述
我一直在使用C#为自己编写一个小程序,可以用来存储密码,然后检索它们以进行查看/编辑.
I have been writing a little program for myself using C# that I can use to store my passwords and then retrieve them for viewing/editing.
虽然密码以加密格式存储在磁盘上,但是当密码被读入内存以在表单上显示/编辑时,它们不会被加密.
While the passwords are stored to disk in an encrypted format, when they are read into memory for display/editing on a form, they are unencrypted.
我了解到内存中具有未加密的密码是一个非常大的安全性问题,因此我遇到了SecureString类.
I have learned that having unencrypted passwords in memory is a pretty big security problem, so I came across the SecureString class.
会比使用SecureString类更安全的方法吗?还是SecureString不辜负它的名字?
Would there be a more secure way to do this than using the SecureString class, or does SecureString live up to its name?
推荐答案
SecureString将其文本加密在内存中,不需要时可以立即将其处置.问题是,当您要显示或以几乎任何其他方式使用它时,必须将其转换为不安全的普通字符串.
SecureString keeps its text encrypted in the memory and you can dispose it immediately when you don't need it. The problem is, when you want to display it or use it in almost any other way, you have to convert it to normal string, which is not secure.
此外,我不会太依赖它-系统能够在没有任何解密密钥的情况下对其进行解密,这意味着坚定的黑客最有可能做到这一点.当黑客控制了您的计算机时,您将无法确定任何事情,并且他可能将能够使用具有良好密钥的良好算法来访问未经加密的任何内容.
Also, I wouldn't rely on it too much – the system is able to decrypt it without any decryption key, which means determined hacker will most likely be able to do the same. When a hacker gains control of your computer, you can't be sure of anything and he will be probably able to access anything that's not encrypted using a good algorithm with good key.
这篇关于用于存储在内存中并提供密码的SecureString?或者是其他东西?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
