I am creating an application that requires user login (username + password). As this is a secure application, I'm using WPF's PasswordBox.SecurePassword to securely create a hash of the password (using SHA512CryptoServiceProvider, hashing from a custom Stream) to use as a password for Rfc2898DeriveBytes. Let's say I have an AES-256-CBC implementation which securely retrieves and stores key+IV so that is not an issue.
I am currently implementing a way for users to be able to store their password so they don't have to put them every time they log in. So far I am able to store the password securely using the AES custom implementation and I can read the password securely (that is, without ever putting it completely in Memory in plain text).
What I am having problem is when I try to replace the text in the PasswordBox. PasswordBox.SecurePassword is read-only and I have tried to use PasswordBox.SecurePassword.AppendChar(someChar) but the field/value remains empty. I imagine that PasswordBox.SecurePassword only returns a copy (SecureString.Copy()) and not the original variable (looking at .NET source code confirms this).
Is there any way I can achieve what I want or do I need to create a custom WPF control?
This can be considered to be solved.
We decided to use an animation to show the user that they don't need to put the password again.
It's a shame you cannot programmatically add characters to the SecurePassword property like you can do with a normal SecureString.