#956 – PasswordBox Stores Password as a SecureString
November 22, 2013 1 Comment
When you use the PasswordBox control to let a user enter a password, the resulting password is stored in a SecureString. SecureString allows storing confidential data in memory in a more secure manner than is possible with the string data type.
If the security of the string entered into a PasswordBox is important, you should avoiding converting the password into a managed type. You can access the entered password as a SecureString using the SecurePassword property, which returns a SecureString.
You can also cause the password stored in a PasswordBox to be decrypted and stored as a string by using the Password property. Since copying the confidential data into a managed type is not as secure as letting it remain stored on the unmanaged heap, within the SecureString, you should only use the Password property if the security of the data is not critical.