This web site uses cookies. By using the site you accept the cookie policy.This message is for compliance with the UK ICO law.

.NET 2.0+

Creating a Secure Textbox

The SecureString class holds confidential information in an encrypted format, reducing the risk that the information could be obtained by reading a computer's memory directly. However, there is no easy way to obtain the secure information from a user.


When you want to work with confidential information, the SecureString class provides a good option for its temporary storage. This class holds string information in an encrypted form. If an attacker gained access to the memory of the machine, they would find it very difficult to find and decrypt the information, making a SecureString an ideal option for items such as passwords, credit card details and banking credentials. If such data was held in standard string objects, the information would be held in plain text and would be much easier to compromise. SecureStrings can also be programmatically cleared from memory, unlike normal strings, further reducing the security risk.

SecureString TextBox

One problem with the SecureString class is that there is no simple way to obtain a string from a user and store it in a SecureString. Although the class contains methods that allow you to individually add the characters from a string, this would involve holding the plain text string in memory during the process. This would defeat the purpose of using a SecureString. To resolve this problem we need a textbox control that stores information in an encrypted fashion directly. We'll create such a control for Windows Forms development in this article.

The goals for this new user control are:

  • it should look like a standard textbox.
  • it should behave in a similar manner to a textbox, allowing characters to be added and removed, showing a placeholder character for each item rather than the actual entered text.
  • the information entered into the textbox should be held in a SecureString and never in a standard string object. Users of the control should be able to obtain the SecureString for external processing.

Creating the Project

To begin we need a project. For the demo code that you can download using the link at the start of this article, I've used a Windows Forms application project. To make the control reusable, you could create it within a library project. Name the project, "SecureStringTextBox".

Creating the UserControl

We can now add the control to the project. Add a new user control and name it, "SSTextBox". Using the designer, add a textbox. This will be the only control that we need. Set the following property values for the textbox:

  • Name. Set this to "InputBox".
  • Dock. Set the Dock property to "Fill". This will expand the textbox horizontally to fill the control's design surface. It will also mean that the SSTextBox control will be resizeable in a similar manner to a standard textbox when added to a form.
  • ShortcutsEnabled. Set this property to false. Amongst other things, this will prevent the contents of the textbox being copied and will disallow pasting into the textbox. Copying the contents of the textbox will not be of use, as the textbox will not hold the real text.

With these properties set, resize the user control so that the textbox fills it exactly.

Adding the UserControl Source Code

We can now begin to add the code for the user control.


Our secure textbox has two custom properties. The first is a read-only property that holds the SecureString value. The second is a password character that will be displayed in place each character in the entered string, allowing the character to be customised. The password character will not be mapped into the PasswordChar of the underlying textbox. We'll set the textbox's Text property using the password character each time the user changes the entered value.

As we'll be using the SecureString class, we'll be working with the System.Security namespace, so add the following using directive to the user control's code:

using System.Security;

We can now create the two properties and their backing store fields.

char _passwordChar = '●';
SecureString _secureString = new SecureString();

public SecureString SecureString
    get { return _secureString; }

public char PasswordChar
    get { return _passwordChar; }
    set { _passwordChar = value; }

Capturing Keystrokes

The next step is to capture user keystrokes and intercept them before they can be added to the textbox's insecure Text property. We'll start with the KeyPress event. In this event we'll detect characters being added to the text and insert them in the correct place in the SecureString value. We'll also detect when the user presses the backspace key and remove characters accordingly.

The code below detects whether or not the key pressed was backspace and calls either a method that processes a backspace or one that adds a newly entered character. After the if statement the Handled property of the KeyPressEventArgs is set to true, indicating that the entry requires no further processing. This prevents new characters from being added to the textbox's Text property.

private void InputBox_KeyPress(object sender, KeyPressEventArgs e)
    if (e.KeyChar == '\b')

    e.Handled = true;
16 September 2012