none
Web Application - Plain password value can be found in memory dump of IE 11 process RRS feed

  • Question

  • I developed a web application using asp .net framework with Login page, and i use IE 11 for testing the app. However after i entered the username and password, and take memory dump from IE process, the entered password can be found in plain text. Does anyone know if there is any control or solution that I can use so that the password value won't be found in memory. Preferably, microsoft provided solutions. 

    Thanks.

    • Moved by CoolDadTx Tuesday, September 17, 2019 2:09 PM ASP.NET related
    Tuesday, September 17, 2019 3:44 AM

All replies

  • You don't send plain text over the Internet for a password.   You send an encrypted and decrypt the password, which there are .NET libraries for this you'll have to look up. Why are you not using ASP.NET Identity security feature that implements login page for encrypted  password and other such features the can be implemented if an ASP.NET solution?

    Tuesday, September 17, 2019 5:04 AM
  • Thanks for the reply. ASP.net identity i think will not encrypt password on the client side (browser).

    Encrypt and decrypt the password, do you mean using Javascript library to encrypt, then server decrypt? Can you suggest which library/solution? 

    Tuesday, September 17, 2019 6:03 AM
  • Hi C12345,

    Normally, the we will encrypt the password by using AES, MD5 or something else. But this is also happened on the server-side or using client-side library. As far as I know, there is no build-in feature in asp.net or javascript to achieve your requirement.

    But,  I couldn’t understand why you want to avoid the IE memory process the get the password. Since the IE is the client browser which is used by user to type in its password. If you want to avoid virus attack, you should suggest your customer to install the antivirus software . Besides, you should use HTTPS instead of http to make your application be more security.

    Best Regards,

    Jack


    MSDN Community Support
    Please remember to click "Mark as Answer" the responses that resolved your issue, and to click "Unmark as Answer" if not. This can be beneficial to other community members reading this thread. If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com.

    Tuesday, September 17, 2019 6:09 AM
  • Thanks for the answer. We're just looking for expert opinions and also exploring the possibility to strengthen our security. 

    Tuesday, September 17, 2019 6:36 AM
  • You should post to the Security forum in ASP.NET forums.

    https://forums.asp.net

    Tuesday, September 17, 2019 10:43 AM
  • Please post questions related to web development in the ASP.NET forums.

    Michael Taylor http://www.michaeltaylorp3.net

    Tuesday, September 17, 2019 2:09 PM