SecureString
is not considered secure. If you need to do this, you can either use a char[]
and overwrite the data once done, or you can use unsafe
code to overwrite a string
when done (just... hope it wasn't interned or a shared reference); note that this applies everywhere in the call stack. Note that the OS may have copied the page for various reasons and it may even be on disk (swap file) if the memory wasn't very carefully allocated.
However, by the time memory analysis tools are a factor in a winforms app, it would be easier to use a key logger, or just take a wrench and threaten someone for the password:
与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…