I have an application which takes a string from the Windows Forms text box and passes it to an API which uses a string as the parameter. I see that the string can still be queried from the process memory after the task is complete. I have come across suggestions to use SecureString
for string memory management capabilities. But, if I understand correctly, the purpose of the string is defeated if the secure string is built from a string or the value of the secure string is ultimately stored in a string.
Please suggest what is the best possible solution.
TextBox
control, then there's already an unknown/unknowable number of copies of that string lurking everywhere. You can't fix this leak. Either re-engineer this to useSecureString
throughout or accept that someone with sufficient access to the machine(s) on which this code is running could potentially read this data from process memory. But bear in mind - someone with that level of access could easily have installed a keylogger anyway. – Damien_The_Unbeliever