Is it a bad idea to bind PasswordBox password?

13
votes

I've read that the password in a WPF PasswordBox does not have a dependency property for binding the password for security reasons. Despite this, there are ways to bind it anyway.

Users of the MVVM pattern require this databinding; the viewmodel cannot touch the PasswordBox directly without breaking the pattern. One way to work with PasswordBoxes in an MVVM setting is to pass the entire PasswordBox control to the ViewModel, but this breaks the pattern anyway. Binding the Password is probably the cleanest way to work with passwords using MVVM.

There is an argument against binding the Password since this would keep the plaintext password in unencrypted memory until it gets garbage collected. The way I see it, however, is that the password gets stored in unencrypted memory anyway from the moment you access the Password property. This view (or similar) seems to be seconded in this question. Of course it would be in memory for a shorter period without binding (not that login forms have a tendency of being long-lived anyway), but the risk is still there.

Given these arguments, is it really a bad idea to bind the password? And why?

2
c#wpfsecuritydata-bindingmvvm
Did you consider binding to the getter of the Password property instead? It keeps the mvvm pattern intactGayot Fow
How do you mean? What getter?Gigi
+1: Interesting question. My concern is that unencrypted passwords can remain in memory indefinitely, even if they are held in short-lived variables; .NET does not scrub reclaimed memory during garbage collection. Thus, unless you're using SecureString throughout your implementation (up to the computation of the password's hash), I see little advantage in maintaining this level of security, and would just go with the attached property suggested in your first link.Douglas
@Gigi, the getter of the password propertyGayot Fow
@Zwirbelbart a valuable sort of "micro-optimization". Perhaps my application responds to SSL pings, then the Heartbleed bug let bad guys read from part of its memory, but without much control over what it reads. It would be nice to know that I don'd have unneeded password strings floating about.Adrian Ratnapala

2 Answers

6
votes

Using tools like WPF Inspector or Snoop you can spy the password string. An alternative to passing the PasswordBox to the view-model is to attach a Behavior<UIElement> object to your PasswordBox object like below:

public sealed class PasswordBoxBehavior : Behavior<UIElement>
{
    protected override void OnAttached()
    {
        base.OnAttached();
        AssociatedObject.LostKeyboardFocus += AssociatedObjectLostKeyboardFocus;
    }

    protected override void OnDetaching()
    {
        AssociatedObject.LostKeyboardFocus -= AssociatedObjectLostKeyboardFocus;
        base.OnDetaching();
    }

    void AssociatedObjectLostKeyboardFocus(object sender, KeyboardFocusChangedEventArgs e)
    {
        var associatedPasswordBox = AssociatedObject as PasswordBox;
        if (associatedPasswordBox != null)
        {
            // Set your view-model's Password property here
        }
    }
}

and the XAML code:

<Window ...
        xmlns:i="clr-namespace:System.Windows.Interactivity;assembly=System.Windows.Interactivity">
    ...
    <PasswordBox ....>
        <i:Interaction.Behaviors>
            <local:PasswordBoxBehavior />
        </i:Interaction.Behaviors>  
    </PasswordBox>
    ...
</Window>
1
votes

Not binding the password box thinking snooping it will not yield the results is not wise to think!.

Passwordbox.Password will still show the password no matter what![enter image description here]1

enter image description here