Singleton To Ensure Password Security

Question

I am making a little project that requires me to access one of my email accounts frequently to send emails. With that being said, I obviously know the log-in information ahead of time, and in order to protect the password from being created into a SecureString multiple times, I have created a Singleton class:

public sealed class Sender
{
    #region Private Member Variables

    private readonly static Sender SingletonSender = new Sender(); // Singleton object
    private readonly SecureString password;
    private const String defaultEmailAddress = "xxxxxxxxxxxxx";

    #endregion

    #region Properties

    public static Sender ReminderSender
    {
        get { return SingletonSender; }
    }

    #endregion

    #region Constructors

    private unsafe Sender()
    {
        Char[] passwordCharacters = {/* password characters */};
        fixed (Char* pwChars = passwordCharacters)
        {
            password = new SecureString(pwChars, passwordCharacters.Length);
        }
        password.MakeReadOnly();
        passwordCharacters = null;
    }
    #endregion

  // Additional methods
}

Now, I am wondering if this is the correct way to protect the password from being exposed unnecessarily? Additionally, if anyone has a better strategy to solve this, I would love to hear it. Note, that my goal of this application is to have it deployed on various PC's not just on my own.

Where does the password come from (I mean where is it stored when your application is not running or is it entered by the user)? — David, Jan 20 '14 at 22:02
@David I own the email account, so I know the password, but want to access that account programmatically, so the passwordCharacters represent the clear text password, so it is stored within the code itself. — David Venegoni, Jan 20 '14 at 22:05
@HamletHakobyan Yeah, decompiling would easily comprise the password, I could always encrypt the password and save it to a file manually, not sure of many other methods, if you have a strategy, please share, interested in alternatives that I have not thought of. — David Venegoni, Jan 20 '14 at 22:07
There is no 100% way to protect password. It can be cracked even from your mind :) — Hamlet Hakobyan, Jan 20 '14 at 22:09
Maybe not quite the focus of your question but as long as you store the password characters in the application you do not need to care for SecureString. A way to improve security would be to use an obfuscator which makes it harder but not impossible to read the contents of your assembly. In general, if you need to provide access to your email account and your program must know the credentials there is no 100% way of securing this information, otherwise your program itself would not be able to know it. — David, Jan 20 '14 at 22:16

score 1 · Accepted Answer · answered Jan 20 '14 at 22:20

Run the code in a web app, and have the various PCs ask the server to run this code on their behalf.

Do you really want to make sure the user's have .NET 4.5? (answer: no)

You could probably get a Rails app on Heroku in less overall time.

By the way, if you are using Gmail, you can put an OAUTH token on the user's machine instead of your password, which you can revoke. It's still a password of sorts, but at least it's not your password.

https://developers.google.com/gmail/oauth_overview

Singleton To Ensure Password Security

1 Answers1