Windows Forms TextBox not secure for passwords

[NewsBot]

I just verified something I've suspected for a while now. If you use a Win32-based TextBox control (this also includes*the*WinForms TextBox control) for entering passwords, external applications can get the password by simply sending the WM_GETTEXT message to it. That's how most password revealers work and you can verify this very easily with Spy++ that's installed with Visual Studio.

 

It is however very easy to protect against this type of attack. Which makes me wonder why the WinForms TextBox isn't protected and why I haven't*read more about this.

 

If you develop Windows Forms applications and you use the standard TextBox to let the user enter a password, you should definitely read the blog post I wrote about this: Making your password TextBox more secure.

 

This is so typical: you can secure your applications, encrypt your data, encrypt your communication, and then something very simple like this circumvents your entire security system. Apparently even Outlook 2003 (haven't checked 2007 yet) is vulnerable to this.

 

 

More...

 

View All Our Microsoft Related Feeds