I would like to use secure string to have a password in a variable. The password I get it from the database, because I am using hashed password and I need to compare the password given by the user and tha hashed password that I have in the database.
Well, I retrieve the password from the database, that is a hashed pssword. Is an string, so if I convert this string to a secure string, how I start from a string, that is unsecure, has it sense to convert it to secure string? because the string is exposed since I get it from the database and I store it in a string in a first moment.
How is the correct way to compare the stored password in the database and the password given by the user?
I am using a repository that do this work and the repository is executed in the local computer of the user, not in the server.
Thanks.
As you wrote, it would not make sense to convert an existing password string, the damage would already be done. However, since we are talking about the hash, not the password, it is in general fine to query that (please call me out if this is wrong).
But additionally, you can just as well simply ask the db for equality of the hashes instead of querying the existing hash.
Have a look at this question for more information, its accepted answer also has a lot of excellent links.