I have a an application with a first screen for the login. The password is entered in a password textbox, which is a secure string.
My idea it is store this SecureString in a global application variable because I will need it in some actions, so I would like to avoid the user has to write the password each time. One action could be send an email, I need the user and the password, so I don't want the user write the password of the email acount each time he wants to send and email.
I have read some posts and I know that at the end I will need the plain text from the secureString and this is the weak point, so the beset solution it is to reduce the time that the plain text is in memory. Some solutions can be found here.
But my question is, how the global variable is a secureString, is it safe meanwhile it is not decode? If it is not a good option, there are another options that would be better but without the need the user type the password each time an action needs the password?
Thanks.
Centralizing data that is meant to be reused across an application is a standard design pattern. Let's say you have a group of web pages on top of which you wanna display the name of the user, or you need to cache the posts or profile of a particular user. Different frameworks provide different tools for this purpose, for instance in Vue.js, Vuex is offered to implement this mechanism.
In case of your question, you have not specified which framework you are using, whether it is ASP.Net, WPF, or even a pure C# application relying on OWIN. But yet no issues, there are a few ways that can allow you to achieve what you are after and you can chose whichever best suites your needs:
1- You can develop a cache layer in your app, and cache the password or other data through the lifecyle of a particular session. To do this, you can either rely on a "Concurrent Collection" or you can make use an EF Core In-Memory database. (IMemeoryCache is also available in ASP.Net Core)
2- In case the password is meant to undergo some interops, then I recommend you to go for a global cache server. To do so, you can use Redis or Alachisoft NCache.
3- In case that is a web application, then you can preserve the data in a cookie or the local storage of browser.
Keep in mind, the SecureString may not give you any security advantage as you expect with respect to the fact that as stated by Microsoft:
A SecureString object is similar to a String object in that it has a text value. However, the value of a SecureString object is pinned in memory, may use a protection mechanism, such as encryption, provided by the underlying operating system, can be modified until your application marks it as read-only, and can be deleted from computer memory either by your application calling the Dispose method or by the .NET Framework garbage collector.
That said; you have to look at the security aspect of this type from the perspective of memory and memory management. Finally, you have to implement your own security provider, such as hash generation or encryption in other achieve real security.