System.StringThe most important factors that don’t recommend the System.String type as a secure type are:
- System.String is not encrypted. Anyone who can read your process' memory will be able to see the value of the string easily. Also, if your process gets swapped out to disk, the unencrypted contents of the string will be sitting in your swap file.
- System.String is immutable. Because of this you can not modify an existing string without create a copy of it first and you can not clear the content of a string. You may end up with several copies of your sensitive data in memory which are hard to hide from a possible attacker.
- System.String can be moved around in memory by the Garbage Collector (GC). This happens because of the Garbage Collector's generations mechanism.
- System.String can’t be disposed on demand. No one can predict when a specific string will be reclaimed by the Garbage Collector (GC). It is possible that some strings to survive long time after the application was closed.
The byte array workaroundBefore .NET 2.0, the recommended way to handle sensitive data was to use the byte array. A byte array can be handled almost in a string manner but with some extra advantages:
- Each byte from the byte array can be encrypted and decrypted using any encoding algorithm.
- We can clean-up the content of it.
- We can dispose a byte array on demand.
The SecureString classLet’s see what are the advantages that recommend the SecureString class to be better than Sytem.String or even than the byte array method:
- A SecureString object is similar to a String object in that it has a text value. So it helps you to write cleaner code then the byte array method.
- The value of a SecureString object is automatically encrypted when its value is initialized or modified. It will be automatically decrypted when it will be accessed.
- The value of a SecureString can be modified until your application marks it as read-only. You'll find AppendChar(), InsertAt(), RemoveAt(), and SetAt() methods as well as a Length property.
- The value of a SecureString can be deleted from computer memory by either your application or the .NET Framework Garbage Collector. This includes clearing the entire content.
- The Garbage Collector (GC) will not move the encrypted string around in memory, so you never have to worry about multiple copies of your string sitting in your address space.
Let me show you an example of how a SecureString should be used:
static void Main(string args)
Console.WriteLine("Please enter your password to be encrypted:");
SecureString password = ReadPassword();
Console.WriteLine("Press any key to quit");
public static SecureString ReadPassword()
SecureString password = new SecureString();
ConsoleKeyInfo key = Console.ReadKey(true);
while (key.Key != ConsoleKey.Enter)
key = Console.ReadKey(true);
password.MakeReadOnly(); // make the password read-only.
return password; // return the encrypted password.
public static void PrintPassword(SecureString password)
// Uncrypt the password and get a reference to it...
IntPtr bstr = Marshal.SecureStringToBSTR(password);
// Printing the uncrypted password...