SecureString for storing in memory and presenting passwords? Or something else?
I have been writing a little program for myself using C# that I can use to store my passwords and then retrieve them for viewing/editing.
While the passwords are stored to disk in an encrypted format, when they are read into memory for display/editing on a form, they are unencrypted.
I have learned that having unencrypted passwords in memory is a pretty big security problem, so I came across the SecureString class.
Would there be a more secure way to do this than using the SecureString class, or does SecureString live up to its name?
Answer
SecureString keeps its text encrypted in the memory and you can dispose it immediately when you don't need it. The problem is, when you want to display it or use it in almost any other way, you have to convert it to normal string, which is not secure.
Also, I wouldn't rely on it too much – the system is able to decrypt it without any decryption key, which means determined hacker will most likely be able to do the same. When a hacker gains control of your computer, you can't be sure of anything and he will be probably able to access anything that's not encrypted using a good algorithm with good key.