Making use of the SecureString
In .Net V2, there is a class called the SecureString in the System.Security namespace. Its a nifty little class that stores its contents in encrypted form, and is not subject to managed heap garbage collection side effects, where copies of the string are left around while waiting to be collected, and also its string value is not sitting in memory for all to see, nor are multiple copies made each time a character is added and a whole bunch of other things I have talked about previously. Basically, it allows secure storage, in memory, of a string, such that tools that can pry into your memory, don't see things they are not supposed to.
Problem is, to use this class in any meaningful way from a user interface perspective, you usually have to enter your string first into some UI element such as a textbox, or other control, and these controls themselves dont utilise a secure string class. Rather, they use standard string mechanisms to store their data, so even though you may have immediately copied the contents to a secure string class, they are still loitering around in memory, waiting to be collected (or worse yet, with a valid reference to them, and not being collected for some time).
I have been wanting to upgrade my personal password manager application for some time now, as it was only written as a little micky mouse app to try out some UI elements a very long time ago, but ended up proving very useful. Its implementation is not what I would call good practice code though. In V2, I wanted to utilise the secure string class to store my passwords in memory, however its not so easy from a UI perspective, as already mentioned. To that end, I have started to develop a 'SecureTextBox' control which allows textual entry like a textbox with a password character defined, however all internal storage is via a secure string. No standard managed string instance is used at all. Its in a semi-working form right now, and will be finished soon. I'll release it for others to use ofcourse. I'd be interested in hearing if there are already implementations out there around this.
Oh well, back to it....