Introduction
Today, security becomes more and more important. Very secure encryption and
authentication algorithms are designed (e.g. AES, SHA). But the best algorithms
are useless, if crackers bypass these systems by simply exploiting simple
security bugs of operating systems...
As you probably are thinking already, I am talking about the Windows Edit
controls. Most "normal" Windows programs use Edit controls, to get passwords
from the user. Normally you see stars (*) when you type something into an edit
box, that has the password flag. Unfortunately, these edit controls are not
secure. There are various methods for malicious programs and crackers to get the
password.
The first method is to simply remove the password flag. Windows doesn't do
anything against programs manipulating the window styles of other processes.
Just remove the ES_PASSWORD
flag of an Edit box and zosh! You see
the entered text.
Another method is to read out the text of the Edit box. Use the Windows API
function GetWindowText
on the Edit control and you get the text,
even if you are not the owner of the control (i.e. another process), and even
stars are displayed.
Therefor I created and present you now a control, which is very user-friendly
(Secure Edit controls look like normal Edit controls), and which is immune to
these spy tools, i.e. the methods above don't work at Secure Edit controls.
Features of the Secure Edit control
These are the features of the CSecureEdit
class:
- Spies cannot read out the text of Secure Edit controls
- Removing the
ES_PASSWORD
style doesn't affect Secure Edits
- Secure Edits look like normal Windows Edits
- User can insert a character anywhere (i.e. use cursor keys)
- User can delete one or more characters
- User can paste text into Secure Edit controls
- User cannot copy text out of Secure Edits
- Easy to implement for MFC developers
Technical background
So you want to know how Secure Edit controls work? Well, here we go.
Secure Edit controls have separate buffers for the real and the displayed
text. The displayed text is just the password character multiplicated with the
length of the real text.
Every time the user presses a key, the display buffer contains a non-password
character. Now it's time to replace this character with a password character and
update the internal real text buffer.
Secure Edit controls are derived from CEdit
s. They intercept the
EN_UPDATE
message sent to edit controls, every time the content of
the control changes. The message is sent after Windows has updated its
contents, but not displayed it already.
The CSecureEdit
class now looks what has happened. Has the user
inserted a character? Has he deleted one or more characters with Del or Bkspc?
Has he pasted some text into the control? First the class computes the length
difference of the old text and the new one. If this difference is lower than 0,
the user has deleted something.
In this case, we have to look where the cursor is. Now we can cut out the
deleted text from the internal buffer, based on the cursor position and
difference information. Now it gets tricky. What if the user has selected some
characters, lets say 4, and pressed a key? The difference is 3, 4 characters
have been deleted and one entered. In this case we first delete the 4 old
characters and let the character insertion routine run on the text.
In the other case (difference greater or equal zero), the user has inserted
text or replaced a character (range?) with another character (multiple?
clipboard?). Inserting is relatively easy. We just look at the display buffer
and search for non-password characters. These characters are new. The only thing
to do now is to compare the display buffer with the internal real text buffer
and insert the new characters of the display buffer to the internal buffer.
Finally we have to update the display buffer, i.e. replace all non-password
characters with password-characters.
Using Secure Edit Control
Implementing CSecureEdit
is as easy as implementing other
customized controls, like "flat" controls or colorized controls.
Just follow these 4 steps to include Secure Edit Controls into your
project:
- Add the files SecureEdit.cpp and SecureEdit.h to your project.
- In the Visual Resource Editor of Visual Studio, create a normal edit
control.
- Right-click on the edit control and select Class Wizard.
- Create a new member variable for the control of type
CSecureEdit
That's it! You don't have to call any initialization or configuration
function.
To read the real text of the control, read out the public
CString
member variable m_strRealText
of the
CSecureEdit
class. You don't have to call UpdateData
before the read, the control updates its text every time the user changes
something.
To set the text of a Secure Edit control, use its member function
SetRealText
.
Some notes on the control
In contrast to normal edit controls, you cannot copy the password entered to
a secure edit control to the clipboard. But you can paste text into the
control. In my opinion this is the most reasonable solution. Paste something in
is allowed, copy something out is forbidden.
You can define the password character freely. But the character mustn't be
entered by the user. Currently the password character is such a special X. This
isn't the normal X, it's one of the higher ASCII characters which normally isn't
entered by the user (he would have to use an ALT-XX key combination to insert
it...). Therefor you shouldn't use the standard star (*) or other standard
characters like ! ? - _ $ or such...
Now go, download one or more of these spies, and use them on Secure Edit
controls. You'll see that the spies cannot reveal the passwords entered to a
Secure Edit control.
PwdSpy: http://www.codeguru.com/samples/pwdspy.html
Super Password Spy++: http://www.codeguru.com/ieprogram/SPwdSpy.html
History
-
29 May 2003 - v1.2 - The CSecureEdit
class now supports
Unicode, thanks to Steven Spencer for support
-
18 May 2003 - v1.1 - Fixed a bug in the SetRealText
function
-
17 May 2003 - v1.0 - First official release
Well, thats it. Now go and be the first to release an application with
password edits resistant to window spies :-).