Can password be stored in plain text as long as its in memory, and not persisted in database, files etc.?

Please see the below code snippets (one has the sensitive data like password in plain text and the other encrypts the plain text). I understand if one persists these in files or database etc., need to take preventive measures like setting ACLs etc. so that attacker cannot get to them easily.

But, what if the password doesn't need to be persisted:

  1. Is approach 2 really better than approach 1 as the password is in memory only? or, is it unnecessary? or, is there possibility that some one can read through the memory to get to password - always recommended to be in encrypted either in memory or while persisted?

  2. What if the object is serialzed and passed across app domains? (please note that I understand if the password is sent via HTTP (network), it needs to be encrypted, but if its just across app domains can I sent plain passwords?

Regards,

Plain text password code snippet

  [Serializable]
    class PlainTextPassword
    {
        //Password stored in plain text
        private string _plainTextPassword = null;
        public PlainTextPassword(string password)
        {
            this._plainTextPassword = password;
        }        
        public string Password
        {
            get
            {
                return this._plainTextPassword;
            }
        }
    }

Encrypted password code snippet

 [Serializable]
    class EncryptedPassword
    {
        //Encrypted password
        private string _encryptedPassword = null;
        public EncryptedPassword(string password)
        {
            byte[] encryptedPassword = ProtectedData.Protect(System.Text.Encoding.Unicode.GetBytes(password), null, DataProtectionScope.CurrentUser);
            this._encryptedPassword = System.Text.Encoding.Unicode.GetString(encryptedPassword);
        }
        public string Password
        {
            get
            {
                return this._encryptedPassword;
            }
        }        
    }

Answers


Approach 2) isn't any more secure than 1) in terms of memory snapshot. You have no control over when the original password is released by GC (as you have little control over GC) - so if you're shooting for security against memory snapshots take a look at

SecureString

Reference: http://msdn.microsoft.com/en-us/library/system.security.securestring(v=vs.110).aspx

As for tools that can take memory snapshot, take a look on some profiler (like Dynatrace).


Need Your Help

Class 'App\Http\Controllers\Artisan' not found in Laravel 5

php laravel namespaces laravel-5 artisan

I am in new Laravel and trying to learn by coding. I created migration and seed and both working fine when I call them from terminal, but I wanted to try this code in my HomeController and I get a ...

maven plugin to be used for building an osgi bundle containing camel-routes and some POJO's for deploying inside fuse-servicemix 4.3.0?

osgi maven-plugin bundle apache-camel

Which maven plugin is used for building an osgi bundle containing camel-routes and some POJO's for deploying inside fuse-servicemix 4.3.0 . i have used pax as well as maven-bundle plugin for deploy...

About UNIX Resources Network

Original, collect and organize Developers related documents, information and materials, contains jQuery, Html, CSS, MySQL, .NET, ASP.NET, SQL, objective-c, iPhone, Ruby on Rails, C, SQL Server, Ruby, Arrays, Regex, ASP.NET MVC, WPF, XML, Ajax, DataBase, and so on.