Common Practice regarding Passwords in Memory

I am writing a .net(C#) windows application to store user passwords in it, like keypass, lastpass, roboforms etc.

To process the user data i have to keep it in memory this data also contains Passwords of the user.

Now my Questions are:

1. Can someone read the Memory Data using some tool or memory dump?
2. If yes then How? Can someone share such tool? i tried with CurrProcess, HeapViewer,ProcessExplorer and ProcessView applications but can't find any private data in memory dump,
3. Do I need to learn something 开发者_StackOverflow中文版else to ensure the protection of in memory passwords.

Thanks

You are correct in your concerns, strings in memory are not safe.

You're probably looking for the SecureString class.

If you're concerned about someone snooping the RAM for passwords, then you have more significant issues. If a malicious user has access to the RAM, then it is trivial to drop a keylogger onto the machine, or to bypass where the keys are used in software, or to intercept the keys once they are decrypted. etc etc

The general rule is, if someone has access to the machine, then its game over security wise.

Yes, there exist tools that capture all physical memory (and pagefile) for further investigation. They are called "forensic" and you can find some by adding this keyword to your searches. If you want to capture memory in your code (i.e. write such program yourself), this is possible using our RawDisk product.

As for protecting your passwords, Kobi mentioned SecureString class, which is supposed to securely store strings in memory. While this class is not a 100% protection ( the password is decrypted anyway when you use it ), but makes password capture much less likely.

I'd suggest exploring source code of Keepass (version 2.xx). It is written in .NET, and it deals with same issues you're concerned about.

My experience is limited in security but I hope that this will be helpfull

1. Yes, it's possible
2. You can use WinDbg + SOS to get almost anything you want from object's internal representation
3. There is a special class called SecureString in BCL that should fit your needs.