There is a method that accepts a password and returns it already hashed in MD5. At first, I didn’t use SecureString but simply a string into which I wrote the Password taken from the controller and there were no problems. Now I read that with this approach, the string is stored in the processor's memory, so it is recommended to use SecurePassword and transfer to the server like this. Actually now because of this error occurs:

Error CS1503 Argument 1: Cannot convert from "SecureString" to "char []".

  internal static string GetHash(System.Security.SecureString passHASH) //тут { MD5 md5Hasher = MD5.Create(); byte[] data = md5Hasher.ComputeHash(Encoding.Default.GetBytes(passHASH)); StringBuilder sBuilder = new StringBuilder(); for (int i = 0; i < data.Length; i++) { sBuilder.Append(data[i].ToString("x2")); } return sBuilder.ToString(); }

You can certainly write like this

  byte[] data = md5Hasher.ComputeHash(Encoding.Default.GetBytes(passHASH.ToString()));

But will this not fix the use of SecureString ?

  • What does this use mean? Yes, and you do not get the value from SecureString simple SecureString.ToString() . - MihailPw
  • one
    So, will the winnings be lost in the safety of using SecureString when translating passHASH to a regular string ? because SecureString in MD5 is not hashed. - Sergey
  • If you have a control in which the password is entered and it has an explicit string with the contents, then your change to the string => secureString will not increase protection. And, if you really, really worry about protection, then MD5 isn’t good enough for a password hash. - eblomyac
  • @eblomyac I use PasswordBox which has 2 properties - Password and SecurePassword . I want to understand which option is better and if the second is how to get a hash from SecurePassword ? - Sergey

1 answer 1

Translate in the usual line

 public static string convertToUNSecureString(SecureString secstrPassword) { IntPtr unmanagedString = IntPtr.Zero; try { unmanagedString = Marshal.SecureStringToGlobalAllocUnicode(secstrPassword); return Marshal.PtrToStringUni(unmanagedString); } finally { Marshal.ZeroFreeGlobalAllocUnicode(unmanagedString); } }

And then consider the hash, but if you initially have a regular string, it is better to calculate the hash from the beginning, and then convert it to SecureString.