I just wonder if there is an efficient way of protecting an TEdit field with password char set from tools which can read it back in plain text.
I think those tools for example grab the target handle of the TEdit and use gettext or something similar.
What I have tried so far is creating a hash for the password stored it in a variable and write it back on focus lost of the TEdit but that doesn't make sense to me since I would need to store another password for calculating the hash inside of the executable.
Maybe someone has a better idea of how the TEdit text could be protected against those tools.
Edit controls with ES_PASSWORD style prevent their text to be copied to the clipboard. What remains is to deny revealing its window text to other applications and resetting the password character to null. A descendant class can handle these.
type
TPasswordEdit = class(TEdit)
protected
procedure EmGetPasswordChar(var Message: TMessage); message EM_GETPASSWORDCHAR;
procedure EmSetPasswordChar(var Message: TMessage); message EM_SETPASSWORDCHAR;
procedure WMGetText(var Message: TMessage); message WM_GETTEXT;
end;
procedure TPasswordEdit.EmGetPasswordChar(var Message: TMessage);
begin
// for nirsoft's BulletsPassView, probably only prevents further inspection,
// injecting a thread perhaps - I have no idea what it's doing..
if (PasswordChar = #0) or not InSendMessage then
inherited;
end;
procedure TPasswordEdit.EmSetPasswordChar(var Message: TMessage);
begin
if (PasswordChar <> #0) and (Message.WParam <> 0) then
inherited;
end;
procedure TPasswordEdit.WMGetText(var Message: TMessage);
begin
if (PasswordChar = #0) or not InSendMessage then // allow owning thread
inherited;
end;