PasswordBox and MVVM

Mare Infinitus picture Mare Infinitus · Mar 13, 2013 · Viewed 24.4k times · Source

We have the following scenario:

  1. MVVM userinterface where a user can place his password (actually a PasswordBox)
  2. Server that shall do some work
  3. Server connects to some Database that requires authentification

And I already read this Question on PasswordBox in MVVM

But there is no answer on how to do! Just lots over "never ever do that".

What is the correct way of passing a password around? How to resolve the security issues?

There is no proper way of Binding to the PasswordBox and the Password shall not be stored somewhere, okay.

So, what is the MVVM way of doing such things?

Even if the pattern is broken, is there a good way to achieve such things?

Thought of a Func<string> to retrieve it, but without Binding this will get a mess...

Update Same for initialising the PasswordBox from a (hopefully encrypted) password store. Isn't that breaking the MVVM pattern? The User does not want to enter the password each time he starts the application or wants to work with the database I believe.

Answer

Rachel picture Rachel · Mar 13, 2013

Personally I just pass the entire PasswordBox control to my LoginCommand

I know it breaks MVVM because the ViewModel layer now references a View-specific object, but I think in this specific case it's OK.

So I might have XAML that looks like this:

<Button Content="Login" 
        Command="{Binding LoginCommand}" 
        CommandParameter="{Binding ElementName=MyPasswordBox}" />

And a LoginCommand that does something like this:

private void Login(object obj)
{
    PasswordBox pwBox = obj as PasswordBox;

    SomeBlackBoxClass.ValidatePassword(UserName, pwBox.Password);
}

I suppose you could also run some kind of encryption algorithm on the value and compare the hash of that value to the hash of the user's password too

private void Login(object obj)
{
    PasswordBox pwBox = obj as PasswordBox;
    var encryptedPassword = SomeLibrary.EncryptValue(pwBox.Password, someKey);

    if (encryptedPassword == User.EncryptedPassword)
        // Success
}

I'm no expert on the PasswordBox control or security, but I do know that you don't want to be storing the user's password in plain text anywhere in memory within your application

(Technically, it's stored as plain text in PasswordBox.Password - you can use something like Snoop to verify this if you want - however typically the PasswordBox doesn't exist for longer than it takes the user to login, and the actual "password" is just text entered by the user, which may or may not be correct. A keylogger could get you the same information.)