C# SecureString Question

Question

Is there any way to get the value of a SecureString without comprising security? For example, in the code below as soon as you do PtrToStringBSTR the string is no longer sec

Answer 1

SecureStrings are only secure as long as you don't use them. )-;

The 1 thing you should not do is copy to a string (regardless of the method). The string is immutable and can potentially stay in memory for a long time.

Copying it to a char[] is a little safer as long as you take the precaution of zeroing that array as soon as possible. But the array is present in memory for some time and that is a security risk (breach).

Unfortunately, there is very little support for SecureStrings in the library. The most common way of working with them is one char at a time.

Edit:

the char[] array should be pinned, and Mark Byers provides a link to an article doing the same thing with a pinned string. It's a matter of choice but the risk of the string is that it is very easy to have it copied (pass it to some method that performs a Trim() would be enough).