Create secure string easily in tests (i.e. for a password for Process.Start)

Friday, November 18, 2005

SecureString pwd = new SecureString(); foreach(char c in "Pass@word1") { pwd.AppendChar(c); } Process.Start("notepad", "Administrator", pwd, Environment.MachineName);

2 Comments

Note that one of the primary benefits of SecureString is that its contents are stored encrypted in a private heap. Thus, nowhere in the GC heap can be found the raw string backing the SecureString. But if you ever convert it from or to an ordinary CLR string, this no longer holds.

So: You should only use the above technique if you don't care about Administrator's password getting logged in a crash dump to disk, sent over the network, etc. The reason SecureString doesn't have a string-based overload is that the designers thought this would be a prohibitively risky scenario to enable (without users realizing this specific drawback).

Joe Duffy - Saturday, November 19, 2005 6:39:00 PM
That's very true, of course. The technique I show should only be used in unit tests.

Daniel Cazzulino - Saturday, November 19, 2005 6:42:00 PM

Comments have been disabled for this content.