As explained in another tip in this TipBank, users can peek at the contents of password-protected TextBox controls with a simple Spy-like program, or even with a VB program plus some API functions. The problem is that such TextBox controls react to the WM_GETTEXT message and the GetWindowText API function as if they were regular TextBox controls. This holds True under Windows 95, 98 and NT. (Windows 2000 has fixed this security issue.)
If you want to make sure that no one can steal passwords from your VB programs, you only have to subclass the WM_GETTEXT message and discard the call. The following code snippet relies on the MsgHook.Dll (that you can download from the FileBank section of this site).
If you discard the WM_GETTEXT message, no application will be able to read the contents of your control.
' ASSUMES THAT YOU HAVE ADDED A REFERENCE TO THE MSGHOOK.DLL
Dim WithEvents TextHook As MsgHook
Private Sub Form_Load()
Set TextHook = New MsgHook
' Text1 is the password-protected control
Private Sub TextHook_BeforeMessage(uMsg As Long, wParam As Long, lParam As Long, _
retValue As Long, Cancel As Boolean)
' filter out the WM_GETTEXT message
If uMsg = WM_GETTEXT Then Cancel = True
It is remarkable that this subclassing code doesn't prevent the current application from reading the contents of the password-protected control. The reason is - evidently - that VB doesn't rely on API calls to read the Text property of a TextBox.