This post originated from an RSS feed registered with .NET Buzz by Robert Hurlbut. Original Post: Using SecureString now Feed Title: Robert Hurlbut's .Net Blog Feed URL: http://www.asp.net/err404.htm?aspxerrorpath=/rhurlbut/Rss.aspx Feed Description: Development with .Net, Rotor, Distributed Architectures, Security, Extreme Programming, and Databases Latest .NET Buzz Posts Latest .NET Buzz Posts by Robert Hurlbut Latest Posts From Robert Hurlbut's .Net Blog

Have you heard about SecureString in Whidbey/VS 2005?  This was built to help solve some of the problems of storing sensitive and secret information in System.String:

• It's not pinned, so the garbage collector can move it around at will leaving several copies in memory
• It's not encrypted, so anyone who can read your process' memory will be able to see the value of the string easily.  Also, if your process gets swapped out to disk, the unencrypted contents of the string will be sitting in your swap file.
• It's not mutable, so whenever you need to modify it, there will be the old version and the new version both in memory
• Since it's not mutable, there's no effective way to clear it out when you're done using it [by way of Shawn Farkcas]

Hernan de Lahitte has put together a sample class that works in a similar way as SecureString for .Net 1.1.