By using this site, you agree to our updated Privacy Policy and our Terms of Use. Manage your Cookies Settings.
434,824 Members | 2,359 Online
Bytes IT Community
+ Ask a Question
Need help? Post your question and get tips & solutions from a community of 434,824 IT Pros & Developers. It's quick & easy.

I want to clear "immutable" string contents

P: n/a
Hi All!

I want to clear the string contents from sensitive information
such as passwords, and etc.

It's always a case that password will appear as string at some point
or another. And i feel uneasy leaving it hanging in memory indefinitely
(especially in case when string is Interned).

So at leats for the case when string is not interned i propose:

string pass = Console.ReadLine();
if (string.IsInterned(pass) == null)
{
unsafe
{
fixed(void* pv = pass)
{
char* pb = (char*)pv;
for(int i =0; i<pass.Length; ++i)
pb[i] = '0';
}
}
}
Console.WriteLine(pass);

Note: explicit RuntimeHelpers.OffsetToStringData is not needed.

What do you all think about this?
Jul 19 '05 #1
Share this Question
Share on Google+
6 Replies


P: n/a
Hi,

Since you know that strings are immutable, you can't clear or modify them in
any way (in theory).

Why not use a char array instead to store your password chars? It is at your
own disposal to create the array and destroy it. A few chars won't take up
too much memory.

Edward

"cppdev" <cp*****@yahoo.com> wrote in message
news:fc*************************@posting.google.co m...
Hi All!

I want to clear the string contents from sensitive information
such as passwords, and etc.

It's always a case that password will appear as string at some point
or another. And i feel uneasy leaving it hanging in memory indefinitely
(especially in case when string is Interned).

So at leats for the case when string is not interned i propose:

string pass = Console.ReadLine();
if (string.IsInterned(pass) == null)
{
unsafe
{
fixed(void* pv = pass)
{
char* pb = (char*)pv;
for(int i =0; i<pass.Length; ++i)
pb[i] = '0';
}
}
}
Console.WriteLine(pass);

Note: explicit RuntimeHelpers.OffsetToStringData is not needed.

What do you all think about this?

Jul 19 '05 #2

P: n/a
Hi,

I would love to use byte[] or char[],
but it's not my choice. I'm using TextControl
to get information from the user in winform.
And it only has Text property.

"Edward Yang" <neo_in_matrix@> wrote in message news:<OU**************@TK2MSFTNGP09.phx.gbl>...
Hi,

Since you know that strings are immutable, you can't clear or modify them in
any way (in theory).

Why not use a char array instead to store your password chars? It is at your
own disposal to create the array and destroy it. A few chars won't take up
too much memory.

Edward

"cppdev" <cp*****@yahoo.com> wrote in message
news:fc*************************@posting.google.co m...
Hi All!

I want to clear the string contents from sensitive information
such as passwords, and etc.

It's always a case that password will appear as string at some point
or another. And i feel uneasy leaving it hanging in memory indefinitely
(especially in case when string is Interned).

So at leats for the case when string is not interned i propose:

string pass = Console.ReadLine();
if (string.IsInterned(pass) == null)
{
unsafe
{
fixed(void* pv = pass)
{
char* pb = (char*)pv;
for(int i =0; i<pass.Length; ++i)
pb[i] = '0';
}
}
}
Console.WriteLine(pass);

Note: explicit RuntimeHelpers.OffsetToStringData is not needed.

What do you all think about this?

Jul 19 '05 #3

P: n/a
Yes i can use GetWindowText myself, but i also use
PasswordDeriveBytes to derive keys for encryption
from user password and that only takes a string.

"JD" <No@Where.com> wrote in message news:<#i**************@TK2MSFTNGP09.phx.gbl>...
Could you create a password control that stores the text into a byte[]
instead of a string so that the pass never gets interned?

- J

"cppdev" <cp*****@yahoo.com> wrote in message
news:fc**************************@posting.google.c om...
Hi,

I would love to use byte[] or char[],
but it's not my choice. I'm using TextControl
to get information from the user in winform.
And it only has Text property.

"Edward Yang" <neo_in_matrix@> wrote in message

news:<OU**************@TK2MSFTNGP09.phx.gbl>...
Hi,

Since you know that strings are immutable, you can't clear or modify them in any way (in theory).

Why not use a char array instead to store your password chars? It is at your own disposal to create the array and destroy it. A few chars won't take up too much memory.

Edward

"cppdev" <cp*****@yahoo.com> wrote in message
news:fc*************************@posting.google.co m...
> Hi All!
>
> I want to clear the string contents from sensitive information
> such as passwords, and etc.
>
> It's always a case that password will appear as string at some point
> or another. And i feel uneasy leaving it hanging in memory indefinitely > (especially in case when string is Interned).
>
> So at leats for the case when string is not interned i propose:
>
> string pass = Console.ReadLine();
> if (string.IsInterned(pass) == null)
> {
> unsafe
> {
> fixed(void* pv = pass)
> {
> char* pb = (char*)pv;
> for(int i =0; i<pass.Length; ++i)
> pb[i] = '0';
> }
> }
> }
> Console.WriteLine(pass);
>
> Note: explicit RuntimeHelpers.OffsetToStringData is not needed.
>
> What do you all think about this?

Jul 19 '05 #4

P: n/a
If a common string is used over and over again, .NET
may "intern" it or make a single instance of it and
whenever you try to create a new instance of it, it'll
just return you the reference to the main, interned one.

I believe this happens during JIT. It recognizes common
strings and just makes one copy of them.

-c

"News VS.NET ( MS ILM )" <sq**********@hotmail.com> wrote in message
news:uL*************@TK2MSFTNGP10.phx.gbl...
Excuse my now knowing
What does interned mean here.??

"JD" <No@Where.com> wrote in message
news:%2****************@TK2MSFTNGP09.phx.gbl...
Could you create a password control that stores the text into a byte[] instead of a string so that the pass never gets interned?

- J

"cppdev" <cp*****@yahoo.com> wrote in message
news:fc**************************@posting.google.c om...
Hi,

I would love to use byte[] or char[],
but it's not my choice. I'm using TextControl
to get information from the user in winform.
And it only has Text property.

"Edward Yang" <neo_in_matrix@> wrote in message news:<OU**************@TK2MSFTNGP09.phx.gbl>...
> Hi,
>
> Since you know that strings are immutable, you can't clear or modify
them in
> any way (in theory).
>
> Why not use a char array instead to store your password chars?

It is at
your
> own disposal to create the array and destroy it. A few chars
won't take
up
> too much memory.
>
> Edward
>
> "cppdev" <cp*****@yahoo.com> wrote in message
> news:fc*************************@posting.google.co m...
> > Hi All!
> >
> > I want to clear the string contents from sensitive information
> > such as passwords, and etc.
> >
> > It's always a case that password will appear as string at some

point > > or another. And i feel uneasy leaving it hanging in memory

indefinitely
> > (especially in case when string is Interned).
> >
> > So at leats for the case when string is not interned i propose: > >
> > string pass = Console.ReadLine();
> > if (string.IsInterned(pass) == null)
> > {
> > unsafe
> > {
> > fixed(void* pv = pass)
> > {
> > char* pb = (char*)pv;
> > for(int i =0; i<pass.Length; ++i)
> > pb[i] = '0';
> > }
> > }
> > }
> > Console.WriteLine(pass);
> >
> > Note: explicit RuntimeHelpers.OffsetToStringData is not needed. > >
> > What do you all think about this?



Jul 19 '05 #5

P: n/a
Chad

Thank you.
"Chad Myers" <cm****@N0.SP.AM.austin.rr.com> wrote in message
news:uO**************@TK2MSFTNGP09.phx.gbl...
If a common string is used over and over again, .NET
may "intern" it or make a single instance of it and
whenever you try to create a new instance of it, it'll
just return you the reference to the main, interned one.

I believe this happens during JIT. It recognizes common
strings and just makes one copy of them.

-c

"News VS.NET ( MS ILM )" <sq**********@hotmail.com> wrote in message
news:uL*************@TK2MSFTNGP10.phx.gbl...
Excuse my now knowing
What does interned mean here.??

"JD" <No@Where.com> wrote in message
news:%2****************@TK2MSFTNGP09.phx.gbl...
Could you create a password control that stores the text into a byte[] instead of a string so that the pass never gets interned?

- J

"cppdev" <cp*****@yahoo.com> wrote in message
news:fc**************************@posting.google.c om...
> Hi,
>
> I would love to use byte[] or char[],
> but it's not my choice. I'm using TextControl
> to get information from the user in winform.
> And it only has Text property.
>
> "Edward Yang" <neo_in_matrix@> wrote in message
news:<OU**************@TK2MSFTNGP09.phx.gbl>...
> > Hi,
> >
> > Since you know that strings are immutable, you can't clear or modify them in
> > any way (in theory).
> >
> > Why not use a char array instead to store your password chars? It is
at
your
> > own disposal to create the array and destroy it. A few chars

won't
take
up
> > too much memory.
> >
> > Edward
> >
> > "cppdev" <cp*****@yahoo.com> wrote in message
> > news:fc*************************@posting.google.co m...
> > > Hi All!
> > >
> > > I want to clear the string contents from sensitive information
> > > such as passwords, and etc.
> > >
> > > It's always a case that password will appear as string at some

point > > > or another. And i feel uneasy leaving it hanging in memory
indefinitely
> > > (especially in case when string is Interned).
> > >
> > > So at leats for the case when string is not interned i propose: > > >
> > > string pass = Console.ReadLine();
> > > if (string.IsInterned(pass) == null)
> > > {
> > > unsafe
> > > {
> > > fixed(void* pv = pass)
> > > {
> > > char* pb = (char*)pv;
> > > for(int i =0; i<pass.Length; ++i)
> > > pb[i] = '0';
> > > }
> > > }
> > > }
> > > Console.WriteLine(pass);
> > >
> > > Note: explicit RuntimeHelpers.OffsetToStringData is not needed. > > >
> > > What do you all think about this?



Jul 19 '05 #6

P: n/a
Chad Myers <cm****@N0.SP.AM.austin.rr.com> wrote:
If a common string is used over and over again, .NET
may "intern" it or make a single instance of it and
whenever you try to create a new instance of it, it'll
just return you the reference to the main, interned one.

I believe this happens during JIT. It recognizes common
strings and just makes one copy of them.


Fortunately it's not nearly as heuristic as that. All string
literals/constants are interned, and any string which you call Intern
on is interned. I don't believe anything else will get interned. You
also don't get the interned copy whenever you create a string with
identical contents - it's only if you're using the same string literal
or if you specifically ask for the interned version.

If the JIT started interning other strings, you'd end up with a
possible memory leak.

--
Jon Skeet - <sk***@pobox.com>
http://www.pobox.com/~skeet/
If replying to the group, please do not mail me too
Jul 19 '05 #7

This discussion thread is closed

Replies have been disabled for this discussion.