Are password textboxes really secure?

You know, the control on the form that displays some character over and over instead of displaying the text behind.

Let's create a simple demo. i will have a WinForms application with a single form that hosts a single TextBox. I'll set TextBox.PasswordChar to asterisk (*). That's all I need to create the demo. After running the application and typing word tubo into the text box I'll see something like this:

You would think that text is protected and nobody can get to it even if he has access to the computer, right? Wrong. Due to the nature of the Windows controls one can always inspect its properties through their handle. A nice tool that lets you do inspection like this is Spy++ that comes with Visual Studio - you'll find it in Visual Studio Tools subfolder in start menu. Run Spy++, click on Search/Find Window... menu entry. Drag the marker shown in picture bellow

over the our protected text box and this window will appear:

Text is clearly visible now. And you can even set the value and do the same with other supported properties. And of course this feature isn't limited to TextBox control.

Magic? No, just the way Windows works. Well, until now. Since Vista is introducing new UI system called WPF (which runs on Windows XP, too) I think it won't be that easy anymore to get to the control's content or even impossible due to entirely different system. I guess that makes WPF automatically more secure.

Comments (1) -

  • Miha Pihler

    3/29/2007 4:06:10 PM | Reply

    There are many "professional" (?) tools out there that can reveal hidden fields.

    One of my favorite tools for this is Cain & Able (http://www.oxid.it/cain.html).

    First time I used it was when one of my customer forgot their POP3 password for their Outlook Express...

Loading