Using SecureString the secure way

Asked Dec 30 '18 at 21:20

Active Dec 30 '18 at 22:12

Viewed 120 times

How to get back the value from SecureString the most secure way?

I was found this code to get the value back.

public static String SecureStringToString(SecureString value)
{
     IntPtr valuePtr = IntPtr.Zero;
     try
     {
         valuePtr = Marshal.SecureStringToGlobalAllocUnicode(value);
         return Marshal.PtrToStringUni(valuePtr);
     }
     finally
     {
         Marshal.ZeroFreeGlobalAllocUnicode(valuePtr);
     }
}

Is it secure to use this way or it's destroy the whole security of SecureString?

edited Dec 30 '18 at 22:12

asked Dec 30 '18 at 21:20

X11

IMO, `SecureString` is mostly silly and security through obscurity. As you note, the fact you can decrypt it means it's mostly not secure in any meaningful sense. [This](https://stackoverflow.com/questions/141203/when-would-i-need-a-securestring-in-net) goes into some more detail. – Kirk Woll Dec 30 '18 at 21:53
If you /ever/ have the value in a regular string it has lost almost all of its value. Pretty much, don’t use SecureString. It’s an expensive non-solution. – bartonjs Jan 02 '19 at 06:25

Using SecureString the secure way

0 Answers0