WPF PasswordBox中的密码的安全性利益是否不可绑定? [英] Safety benefits of the Password in WPF PasswordBox not being bindable?
问题描述
我偶然发现了WPF PasswordBox es的Password属性出于安全性原因不可绑定的事实,这使得在MVVM上下文中使用它们非常麻烦.
像 https://stackoverflow.com/a/1493330/3198247 之类的答案表明,否则,密码可能以纯文本格式存储在运行时将其存储在内存中,这是个坏主意,因为恶意软件可能会读取该文本.
I just stumbled across the fact that the Password property of WPF PasswordBoxes is not bindable for security reasons, which makes using them quite cumbersome in a MVVM context.
Answers like https://stackoverflow.com/a/1493330/3198247 suggest that otherwise, the password might be stored in plain text in memory at runtime, which would be a bad idea since it could potentially be read by malware.
但是,我似乎仍然不太了解一般的原因或答案.在那里,它说在客户端计算机RAM上以纯文本格式保存密码是不安全的..但是,输入密码后,密码便会立即存储在内存中,因为我可以从代码中访问它. 那么,为什么恶意软件不能直接从文本框中读取它呢?我在这里想念另一点吗?
However, I still don't seem to understand the reason in general or that answer. There, it says Keeping your password in plain text on the client machine RAM is a security no-no.. However, the password is in memory as soon as it is typed as I'm able to access it from code. So why would malware not be able to read it directly from the textbox? Am I missing another point here?
为澄清起见,尤其是. w/考虑到Sheridan的答案:假设PasswordBox,其中用户键入"pw"作为他的密码.然后,很明显"pw"在内存中,因为我可以通过PasswordBox.Password检索它. 为什么又不能将其绑定到ViewModel的字符串属性呢?然后,"pw"最多将包含在两个字符串中,但是据我所知,这不应或多或少使其安全.还是真的是要提醒"程序员,PW的存储时间不应超过所需时间?
edit: To clarify, esp. w/ regards to Sheridan's answer: Assume a PasswordBox where a user types "pw" as his password. Then, clearly "pw" is in memory as I can retrieve it via PasswordBox.Password. Why is it then insecure to additionally be able to bind it to a string property of a ViewModel? Then, "pw" would at most be contained in two strings, but as far as I can see, this should not make it any more or less secure. Or is the point really to "remind" the programmer that the PW should not be stored for longer than needed?
推荐答案
已阅读此答案 为什么使用char []而不是使用String作为密码? 我知道它是Java,但我相信同样的规则也适用.但是根据系统所需的安全级别,它应该足够了.恶意软件总会以各种方式获取信息,例如键盘记录,但是您只能做很多事情.
Have a read of this answer Why is char[] preferred over String for passwords? I know it is java but I believe the same rule apply. But depending on the level of security required for your system it should be enough. Theres always ways that malware will obtain information e.g. keylogging but theres only so much you can do.
这篇关于WPF PasswordBox中的密码的安全性利益是否不可绑定?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
