Is SecureString usable

if you want to keep a secret text in a System.String you’ll have security vulnerabilities. Since it stores the plain text in memory (and you have no control when it will be destroyed as this is controlled by garbage collector) a skillful user could read computer memory somehow and extract the password out of it. So, here steps in (new in 2.0) SecureString class that encrypts the text and stores it encrypted. The downside is that you can’t transform it to managed string since it wouldn’t make sense, as you’ll be back to security vulnerability. That makes, it is useful only for communicating with unmanaged code. What is missing?
For example, it would be useful to have an overloaded constructor for SqlConnection that takes SecureString as an argument (connection string):

public SqlConnection(SecureString connectionString)

However, there is no such constructor. The question is why SecureString isn’t used for stuff like this?

Find more about SecureString in this article.

3 replies on “Is SecureString usable”

Hi Jake,

Well, first I’ve come across the problem and while looking for a use of SecureString I’ve read few articles on the topic (one of them was Keith’s article in MSDN magazine – didn’t know about his blog entry). I guess I should have linked to that and other related articles.

Leave a Reply