I want to clear "immutable" string contents

Hi All!

I want to clear the string contents from sensitive information
such as passwords, and etc.

It's always a case that password will appear as string at some point
or another. And i feel uneasy leaving it hanging in memory indefinitely
(especially in case when string is Interned).

So at leats for the case when string is not interned i propose:

string pass = Console.ReadLine();
if (string.IsInterned(pass) == null)
{
unsafe
{
fixed(void* pv = pass)
{
char* pb = (char*)pv;
for(int i =0; i<pass.Length; ++i)
pb[i] = '0';
}
}
}
Console.WriteLine(pass);

Note: explicit RuntimeHelpers.OffsetToStringData is not needed.

What do you all think about this?

Hi,

Since you know that strings are immutable, you can't clear or modify them in
any way (in theory).

Why not use a char array instead to store your password chars? It is at your
own disposal to create the array and destroy it. A few chars won't take up
too much memory.

Edward

"cppdev" <cp*****@yahoo.com> wrote in message
news:fc*************************@posting.google.co m...

Hi All!

I want to clear the string contents from sensitive information
such as passwords, and etc.

It's always a case that password will appear as string at some point
or another. And i feel uneasy leaving it hanging in memory indefinitely
(especially in case when string is Interned).

So at leats for the case when string is not interned i propose:

string pass = Console.ReadLine();
if (string.IsInterned(pass) == null)
{
unsafe
{
fixed(void* pv = pass)
{
char* pb = (char*)pv;
for(int i =0; i<pass.Length; ++i)
pb[i] = '0';
}
}
}
Console.WriteLine(pass);

Note: explicit RuntimeHelpers.OffsetToStringData is not needed.

What do you all think about this?

Could you create a password control that stores the text into a byte[]
instead of a string so that the pass never gets interned?

- J

"cppdev" <cp*****@yahoo.com> wrote in message
news:fc**************************@posting.google.c om...

Hi,

I would love to use byte[] or char[],
but it's not my choice. I'm using TextControl
to get information from the user in winform.
And it only has Text property.

"Edward Yang" <neo_in_matrix@> wrote in message

news:<OU**************@TK2MSFTNGP09.phx.gbl>...

Hi,

Since you know that strings are immutable, you can't clear or modify them in any way (in theory).

Why not use a char array instead to store your password chars? It is at your own disposal to create the array and destroy it. A few chars won't take up too much memory.

Edward

"cppdev" <cp*****@yahoo.com> wrote in message
news:fc*************************@posting.google.co m...
> Hi All!
>
> I want to clear the string contents from sensitive information
> such as passwords, and etc.
>
> It's always a case that password will appear as string at some point
> or another. And i feel uneasy leaving it hanging in memory indefinitely > (especially in case when string is Interned).
>
> So at leats for the case when string is not interned i propose:
>
> string pass = Console.ReadLine();
> if (string.IsInterned(pass) == null)
> {
> unsafe
> {
> fixed(void* pv = pass)
> {
> char* pb = (char*)pv;
> for(int i =0; i<pass.Length; ++i)
> pb[i] = '0';
> }
> }
> }
> Console.WriteLine(pass);
>
> Note: explicit RuntimeHelpers.OffsetToStringData is not needed.
>
> What do you all think about this?

Excuse my now knowing
What does interned mean here.??

"JD" <No@Where.com> wrote in message
news:%2****************@TK2MSFTNGP09.phx.gbl...

Could you create a password control that stores the text into a byte[] instead of a string so that the pass never gets interned?

- J

"cppdev" <cp*****@yahoo.com> wrote in message
news:fc**************************@posting.google.c om...

Hi,

I would love to use byte[] or char[],
but it's not my choice. I'm using TextControl
to get information from the user in winform.
And it only has Text property.

"Edward Yang" <neo_in_matrix@> wrote in message news:<OU**************@TK2MSFTNGP09.phx.gbl>...

> Hi,
>
> Since you know that strings are immutable, you can't clear or modify

them in

> any way (in theory).
>
> Why not use a char array instead to store your password chars?

It is at

your

> own disposal to create the array and destroy it. A few chars

won't take

up

> too much memory.
>
> Edward
>
> "cppdev" <cp*****@yahoo.com> wrote in message
> news:fc*************************@posting.google.co m...
> > Hi All!
> >
> > I want to clear the string contents from sensitive information
> > such as passwords, and etc.
> >
> > It's always a case that password will appear as string at some

point > > or another. And i feel uneasy leaving it hanging in memory

indefinitely

> > (especially in case when string is Interned).
> >
> > So at leats for the case when string is not interned i propose: > >
> > string pass = Console.ReadLine();
> > if (string.IsInterned(pass) == null)
> > {
> > unsafe
> > {
> > fixed(void* pv = pass)
> > {
> > char* pb = (char*)pv;
> > for(int i =0; i<pass.Length; ++i)
> > pb[i] = '0';
> > }
> > }
> > }
> > Console.WriteLine(pass);
> >
> > Note: explicit RuntimeHelpers.OffsetToStringData is not needed. > >
> > What do you all think about this?

If a common string is used over and over again, .NET
may "intern" it or make a single instance of it and
whenever you try to create a new instance of it, it'll
just return you the reference to the main, interned one.

I believe this happens during JIT. It recognizes common
strings and just makes one copy of them.

-c

"News VS.NET ( MS ILM )" <sq**********@hotmail.com> wrote in message
news:uL*************@TK2MSFTNGP10.phx.gbl...

Excuse my now knowing
What does interned mean here.??

"JD" <No@Where.com> wrote in message
news:%2****************@TK2MSFTNGP09.phx.gbl...

Could you create a password control that stores the text into a byte[] instead of a string so that the pass never gets interned?

- J

"cppdev" <cp*****@yahoo.com> wrote in message
news:fc**************************@posting.google.c om...
> Hi,
>
> I would love to use byte[] or char[],
> but it's not my choice. I'm using TextControl
> to get information from the user in winform.
> And it only has Text property.
>
> "Edward Yang" <neo_in_matrix@> wrote in message
news:<OU**************@TK2MSFTNGP09.phx.gbl>...
> > Hi,
> >
> > Since you know that strings are immutable, you can't clear or modify them in
> > any way (in theory).
> >
> > Why not use a char array instead to store your password chars? It is

at

your
> > own disposal to create the array and destroy it. A few chars

won't

take

up
> > too much memory.
> >
> > Edward
> >
> > "cppdev" <cp*****@yahoo.com> wrote in message
> > news:fc*************************@posting.google.co m...
> > > Hi All!
> > >
> > > I want to clear the string contents from sensitive information
> > > such as passwords, and etc.
> > >
> > > It's always a case that password will appear as string at some

point > > > or another. And i feel uneasy leaving it hanging in memory
indefinitely
> > > (especially in case when string is Interned).
> > >
> > > So at leats for the case when string is not interned i propose: > > >
> > > string pass = Console.ReadLine();
> > > if (string.IsInterned(pass) == null)
> > > {
> > > unsafe
> > > {
> > > fixed(void* pv = pass)
> > > {
> > > char* pb = (char*)pv;
> > > for(int i =0; i<pass.Length; ++i)
> > > pb[i] = '0';
> > > }
> > > }
> > > }
> > > Console.WriteLine(pass);
> > >
> > > Note: explicit RuntimeHelpers.OffsetToStringData is not needed. > > >
> > > What do you all think about this?

If a common string is used over and over again, .NET
may "intern" it or make a single instance of it and
whenever you try to create a new instance of it, it'll
just return you the reference to the main, interned one.

I believe this happens during JIT. It recognizes common
strings and just makes one copy of them.