SecureString Solution is fine but has inner contradiction?
I saw this thread :
When would I need a SecureString in .NET?
the code there is :
SecureString password = new SecureString("password");
vs
SecureString pass = new SecureString();
foreach (char c in "password".ToCharArray())
pass.AppendChar(c);
And I do understand the benefits of the second one ( adding char by char) - so that the hacker will not be able to track all chars which in random places in memory ( vs one string in mem which he can find).
The Part which I dont understnad is that part :
that yellow code is deferentially in memory !
so ... where is the benefit ?
The 2nd code sample with ToCharArray() just demonstrates the restricted way for filling a securestring. It is not a sample of a (best) practice.
The thread you link to provides most of the answers: Securestring provides a partial solution to avoiding plain-text passwords (in memory). Not a complete solution.
But take these 2 points from the accepted answer:
- WPF's PasswordBox control keeps the password as a SecureString internally.
- System.Diagnostics.ProcessInfo's Password property is a SecureString.
Together they would allow you to safely transfer a password to a process.
- Why does an empty preprocessor command still evaluate to something?
- How to implement variable sized array within C struct
- Character array typecasting to integer
- How can I exclude non-numeric keys? CS50 Caesar Pset2
- How to get the sign, mantissa and exponent of a floating point number
- Why do MCU libraries use logic operations instead of bitfield structs?
- What kind of implementation can I use for a static associative array on a vintage system with very limited resources?
- Determine libraries to link against for a windows library function?
- Passing macro values to arm linker that places variable at a specific location
- running a program with wildcards as arguments
- How to perform addition of two vectors of 8-bit integers with a single addition in C/C++
- GNU RISC-V Embedded GCC throws "x ISA extension `xw' must be set with the versions" error
- Counting pulses using a swiss flow meter with an Arduino, how is it done?
- How to create a folder in C (need to run on both Linux and Windows)
- Is there any way to compute the width of an integer type at compile-time?
- How can I initialize all members of an array to the same value?
- Is C notably faster than C++
- How to get the Windows SDK version number a program is compiling with at compile time
- Confused by difference between expression inside if and expression outside if
- Equivalent of atoi for unsigned integers
- k&r: Exercise 1-18. Program takes input but doesnt produce any output?
- Using in C thrd_sleep() to either wait for time or interrupt by signal. Example?
- How can I compute `exp(x)/2` when `x` is large?
- c programming: answer always equates to 0
- Is it possible to access a parameter of a function from another function in C?
- Will this expression evaluate to true or false (1 or 0) in C?
- What Is the Return Value of strcspn() When Str1 Does not Contain Str2?
- Mapping a numeric range onto another
- Signalled and non-signalled state of event
- Why is faster to do a branch than a lookup?