However, while plaintext passwords are later assigned to password, this variable is never cleared from memory

Question

defines password, which is designated to contain user passwords. However, while plaintext passwords are later assigned to password, this variable is never cleared from memory.

var password = ConfigurationManager.AppSettings["xyz"].ToString();

what can i do to remove Heap Inspection for this ?

Can you give some more context. – Peter Smith May 30 '19 at 11:09 — Peter Smith, May 30 '19 at 11:09

score 2 · Answer 1 · answered May 30 '19 at 11:47

You have two options to manually remove the string content from memory:

Option 1: Manual Garbage Collection

There is nothing special about the memory consumed by the string object holding the password. To remove the object from memory using manual garbage collection, remove all references to the password variable, then call System.GC.Collect().

Option 2: Use System.Security.SecureString

SecureString has a Dispose method that will release the memory consumed by the string when you are done with it. I haven't tried this myself, but you should be able to do something like this:

// Create a SecureString
SecureString password = new SecureString();
foreach (char c in ConfigurationManager.AppSettings["xyz"].ToString())
{
    password.AppendChar(c);
}

// Use password
this.SomeMethod(password);

// Remove password
password.Dispose();

According to Microsoft, System.Security.SecureString are not being recommend for new or migration projects (https://github.com/dotnet/platform-compat/blob/master/docs/DE0001.md). — FShieldheart, May 23 '23 at 13:58

However, while plaintext passwords are later assigned to password, this variable is never cleared from memory

1 Answers1