Click here to Skip to main content
12,887,565 members (28,201 online)
Click here to Skip to main content
Add your own
alternative version

Tagged as


12 bookmarked
Posted 18 Oct 2013

C# Protect the Password inside a TextBox

, 18 Oct 2013 CPOL
Rate this:
Please Sign up or sign in to vote.
How to protect the password inside a textbox

First of all, the TextBox control is not a secure way to hold passwords - so don't use it as it is by default. Even with a PasswordChar, the real password is still visible if you use a tool like Spy++.

The Flaw (Explained)

As an example, take a simple TextBox with PasswordChar = '*'.
Now, if you use Spy++ and inspect this application, you can get the password.

TextBox is not safe

But...why does this happen?

Spy++ sends the message WM_GETTEXT (0x000D) to the TextBox, and the control just returns its value. It's actually working as intended and it reacts just like any other control, that obeys any message received.

Fixing this Issue...

I found a way to solve this by not allowing the TextBox to process the 'malicious' messages. So the solution consists in blocking any WM_GETTEXT message unless it was sent by the Text property.

If the Text property is called, it will send an WM_GETTEXT message, so it will surely be an internal (safe) call. But if that message is received and the Text property wasn't called, then it might be risky to return the password, so we'll not process that message.

I wrote a "safer" TextBox here, just to show you the idea, feel free to write your own or simply improve this one.

class ProtectedTextBox : TextBox
    // the malicious message, that needs to be handled
    private const int WM_GETTEXT = 0x000D;

    // 'true' if the messages are sent from our program (from Text property)
    // 'false' if they're sent by anything else 
    bool allowAccess { get; set; }

    public override string Text   // overriding Text property
            allowAccess = true;    // allow WM_GETTEXT (because it's an internal call)
            return base.Text;  //this sends the message above in order to retrieve the TextBox's value
            base.Text = value;

    protected override void WndProc(ref Message m)
        if (m.Msg == WM_GETTEXT)  // if the message is WM_GETTEXT 
            if (allowAccess)  // and it comes from the Text property
                allowAccess = false;   //we temporarily remove the access
                base.WndProc(ref m);  //and finally, process the message
            base.WndProc(ref m);


This article, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)


About the Author

Romania Romania
Student @ ACS (UPB), developer wannabe, mad C# fan and webmaster of

You may also be interested in...

Comments and Discussions

Member 1234126717-May-16 0:53
memberMember 1234126717-May-16 0:53 
PraiseMessage Removed Pin
Member 1234126713-May-16 9:48
memberMember 1234126713-May-16 9:48 

General General    News News    Suggestion Suggestion    Question Question    Bug Bug    Answer Answer    Joke Joke    Praise Praise    Rant Rant    Admin Admin   

Use Ctrl+Left/Right to switch messages, Ctrl+Up/Down to switch threads, Ctrl+Shift+Left/Right to switch pages.

Permalink | Advertise | Privacy | Terms of Use | Mobile
Web01 | 2.8.170424.1 | Last Updated 18 Oct 2013
Article Copyright 2013 by Apex95
Everything else Copyright © CodeProject, 1999-2017
Layout: fixed | fluid