它是绑定PasswordBox密码是一个坏主意？ [英] Is it a bad idea to bind PasswordBox password?

问题描述

我读过，在WPF PasswordBox密码不具有约束力的密码的出于安全原因的依赖项属性。尽管如此，也有无论如何绑定方式。

I've read that the password in a WPF PasswordBox does not have a dependency property for binding the password for security reasons. Despite this, there are ways to bind it anyway.

的用户MVVM模式需要此数据绑定;该视图模型不能没有打破的格局直接触摸PasswordBox。在一个MVVM设置与PasswordBoxes工作的一种方式是传递整个PasswordBox控制以视图模型，但是这破坏了图案无论如何。绑定密码可能是使用密码MVVM工作最彻底的方法。

Users of the MVVM pattern require this databinding; the viewmodel cannot touch the PasswordBox directly without breaking the pattern. One way to work with PasswordBoxes in an MVVM setting is to pass the entire PasswordBox control to the ViewModel, but this breaks the pattern anyway. Binding the Password is probably the cleanest way to work with passwords using MVVM.

有一个是的针对绑定密码，因为这种说法将保持明文密码未加密存储，直到它被垃圾收集。我看到它的方式，然而，就是密码会从您访问密码属性的瞬间存储在加密存储反正。这种观点（或类似）似乎的这个问题。当然，这将是在内存中较短的期间不绑定（而不是登录表单有被长寿命反正的趋势），但风险依然存在。

There is an argument against binding the Password since this would keep the plaintext password in unencrypted memory until it gets garbage collected. The way I see it, however, is that the password gets stored in unencrypted memory anyway from the moment you access the Password property. This view (or similar) seems to be seconded in this question. Of course it would be in memory for a shorter period without binding (not that login forms have a tendency of being long-lived anyway), but the risk is still there.

鉴于这些论点，是不是真的绑定密码的坏主意？为什么？

Given these arguments, is it really a bad idea to bind the password? And why?

推荐答案

使用工具，例如WPF督察或探听你可以窥视密码字符串。路过的PasswordBox到视图模型的替代方法是附加一个行为<&的UIElement GT;对象添加到您PasswordBox对象如下图所示：

Using tools like WPF Inspector or Snoop you can spy the password string. An alternative to passing the PasswordBox to the view-model is to attach a Behavior<UIElement> object to your PasswordBox object like below:

public sealed class PasswordBoxBehavior : Behavior<UIElement>
{
    protected override void OnAttached()
    {
        base.OnAttached();
        AssociatedObject.LostKeyboardFocus += AssociatedObjectLostKeyboardFocus;
    }

    protected override void OnDetaching()
    {
        AssociatedObject.LostKeyboardFocus -= AssociatedObjectLostKeyboardFocus;
        base.OnDetaching();
    }

    void AssociatedObjectLostKeyboardFocus(object sender, KeyboardFocusChangedEventArgs e)
    {
        var associatedPasswordBox = AssociatedObject as PasswordBox;
        if (associatedPasswordBox != null)
        {
            // Set your view-model's Password property here
        }
    }
}

和XAML代码：

<Window ...
        xmlns:i="clr-namespace:System.Windows.Interactivity;assembly=System.Windows.Interactivity">
    ...
    <PasswordBox ....>
        <i:Interaction.Behaviors>
            <local:PasswordBoxBehavior />
        </i:Interaction.Behaviors>  
    </PasswordBox>
    ...
</Window>

这篇关于它是绑定PasswordBox密码是一个坏主意？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！