Check Network Password

You use LoginUser API, but it fails in Windows 2000 because you need
SE_TCB_NAME (act as part of the operating system) set. It's the $64, 000
question on how to set this because Windows 2000 security would be pointless

If you use XP then you are ok because the fuction succeeds

Remember to use Zero Memory to clear the password from memory afterwards

Crouchie1998
BA (HONS) MCP MCSE

"Crouchie19 98" <cr**********@s pamcop.net> schrieb:

Remember to use Zero Memory to clear the password from memory afterwards

I wouldn't recommend that because the runtime can move the string object in
its lifetime before calling 'ZeroMemory' and thus still parts/copies of the
string's data can exist in memory. .NET 2.0 will contain a 'SecureString'
class which won't suffer from this problem:

'SecureString' Class ('System.Securi ty')
<URL:http://msdn2.microsoft .com/library/7kt014s1(en-us,vs.80).aspx>

--
M S Herfried K. Wagner
M V P <URL:http://dotnet.mvps.org/>
V B <URL:http://classicvb.org/petition/>

If you look at one of the KB articles about encryption then Microsoft use
ZeroMemory to clear the password. So, you are going against their
recommendations if you don't. Its also mentioned in the Platform SDK to use
it after using LoginUser API function.

What if the user is using the 1.0 or 1.1 Framework & not version 2.0 of the
Framework?

I am reading the Secure String article from the .Net Framework 2.0 Beta 2
Documentation & said that it 'should' be included in the final framework,
not 'would' as yet.

In the .Net Framework 1.0 & 1.1, I would recomment to use
ZeroMemory("[String]", [StringLength * 2])

In the old days of NT, it wasn't even used to clear the login password from
memory & I am not sure its used in XP, but is in 2000.

At the end of the day, it's up-to the user if they want a secure/insecure
application.

Crouchie1998
BA (HONS) MCP MCSE

"Crouchie19 98" <cr**********@s pamcop.net> schrieb:

If you look at one of the KB articles about encryption then Microsoft use
ZeroMemory to clear the password. So, you are going against their
recommendations if you don't. Its also mentioned in the Platform SDK to
use
it after using LoginUser API function.

Do you have the URL of this article? I still think that this recommendation
is rather useless for .NET-based applications.

--
M S Herfried K. Wagner
M V P <URL:http://dotnet.mvps.org/>
V B <URL:http://classicvb.org/petition/>

Crouchie,
| If you look at one of the KB articles about encryption then Microsoft use
| ZeroMemory to clear the password. So, you are going against their
| recommendations if you don't. Its also mentioned in the Platform SDK to
use
| it after using LoginUser API function.
I would say you are going against their "suggestion " if you don't. Not
"recommendation s".

See the "sizeof? is there a .NET equivalent" thread in this newsgroup for
further info on the "problems" of calling ZeroMemory.

Keith Brown's book "The .NET Developer's Guide to Windows Security" from
Addison Wesley contains a plethora of information on security under Win32 &
specifically .NET. I want to say it included a discussion of "zeroing"
memory. You can access the book on-line at:
http://www.pluralsight.com/keith/book/html/book.html, unfortunately I don't
remember which topics discussed "zeroing" memory.

Thinking about it, it may have been one of Keith Brown's MSDN Magazine
articles that discusses "zeroing" memory in .NET, or possible even his
blog...

Hope this helps
Jay

"Crouchie19 98" <cr**********@s pamcop.net> wrote in message
news:%2******** ********@TK2MSF TNGP14.phx.gbl. ..
| If you look at one of the KB articles about encryption then Microsoft use
| ZeroMemory to clear the password. So, you are going against their
| recommendations if you don't. Its also mentioned in the Platform SDK to
use
| it after using LoginUser API function.
|
| What if the user is using the 1.0 or 1.1 Framework & not version 2.0 of
the
| Framework?
|
| I am reading the Secure String article from the .Net Framework 2.0 Beta 2
| Documentation & said that it 'should' be included in the final framework,
| not 'would' as yet.
|
| In the .Net Framework 1.0 & 1.1, I would recomment to use
| ZeroMemory("[String]", [StringLength * 2])
|
| In the old days of NT, it wasn't even used to clear the login password
from
| memory & I am not sure its used in XP, but is in 2000.
|
| At the end of the day, it's up-to the user if they want a secure/insecure
| application.
|
| Crouchie1998
| BA (HONS) MCP MCSE
|
|

Crouchie,
Here's another article about SecureString.

http://msdn.microsoft.com/msdnmag/is...ecurityBriefs/

Hope this helps
Jay

"Crouchie19 98" <cr**********@s pamcop.net> wrote in message
news:%2******** ********@TK2MSF TNGP14.phx.gbl. ..
| If you look at one of the KB articles about encryption then Microsoft use
| ZeroMemory to clear the password. So, you are going against their
| recommendations if you don't. Its also mentioned in the Platform SDK to
use
| it after using LoginUser API function.
|
| What if the user is using the 1.0 or 1.1 Framework & not version 2.0 of
the
| Framework?
|
| I am reading the Secure String article from the .Net Framework 2.0 Beta 2
| Documentation & said that it 'should' be included in the final framework,
| not 'would' as yet.
|
| In the .Net Framework 1.0 & 1.1, I would recomment to use
| ZeroMemory("[String]", [StringLength * 2])
|
| In the old days of NT, it wasn't even used to clear the login password
from
| memory & I am not sure its used in XP, but is in 2000.
|
| At the end of the day, it's up-to the user if they want a secure/insecure
| application.
|
| Crouchie1998
| BA (HONS) MCP MCSE
|
|

Jay, I have the Framework Beta 2 SDK on my development machine.

Here's the article in which Microsoft use ZeroMemory like I described
before:

http://support.microsoft.com/default...b;en-us;301070

You need to look at the very last few lines of code

Crouchie1998
BA (HONS) MCP MCSE

Crouchie,
Yes I've seen that code as part of the "sizeof? is there a .NET equivalent"
thread in this newsgroup, the other day.

My statements still stand!

Hope this helps
Jay
"Crouchie19 98" <cr**********@s pamcop.net> wrote in message
news:%2******** ********@TK2MSF TNGP10.phx.gbl. ..
| Jay, I have the Framework Beta 2 SDK on my development machine.
|
| Here's the article in which Microsoft use ZeroMemory like I described
| before:
|
| http://support.microsoft.com/default...b;en-us;301070
|
| You need to look at the very last few lines of code
|
| Crouchie1998
| BA (HONS) MCP MCSE
|
|

Hi guys, I got it :)

Thanks so much!!!

Henry :)
"Jay B. Harlow [MVP - Outlook]" <Ja************ @msn.com> wrote in message news:<OL******* *******@TK2MSFT NGP15.phx.gbl>. ..

Crouchie,
Yes I've seen that code as part of the "sizeof? is there a .NET equivalent"
thread in this newsgroup, the other day.

My statements still stand!

Hope this helps
Jay
"Crouchie19 98" <cr**********@s pamcop.net> wrote in message
news:%2******** ********@TK2MSF TNGP10.phx.gbl. ..
| Jay, I have the Framework Beta 2 SDK on my development machine.
|
| Here's the article in which Microsoft use ZeroMemory like I described
| before:
|
| http://support.microsoft.com/default...b;en-us;301070
|
| You need to look at the very last few lines of code
|
| Crouchie1998
| BA (HONS) MCP MCSE
|
|