I see very commonly the use of string s to store passwords in the program memory, not only in .Net, but in all programming languages I have ever used.
At first, I do not see a problem in this. But as I know the .Net ecosystem is HUGE, I was curious: Is there any kind of optimized for keeping passwords, or is string unique? And if it exists, is it worth it? Or% s of% s already enough?
The SecureString type is described documentation as follows:
Represents text that should be kept confidential. It is encrypted to privacy when it is being used, and deleted from the computer when it is no longer needed.
This type implements the interface IDisposable and it is through the Dispose method that indicates that it should be deleted from memory.
Several .NET classes that deal with passwords, including the WPF PasswordBox, include methods or properties that use this class.
The purpose of this class is to prevent passwords from being stored on the disk ( swap ) and make it more difficult (though not impossible) for an attacker with access to computer memory to find out what password.
Of course, this class is only of interest if the password never even becomes available as a string or byte[] conventional.
Also relevant: link
