I got a question during a security code-review, why we don’t use SecureString.
We’ve made an authprovider, inheriting from CredentialsAuthProvider, overriding this method:
public override async Task<bool> TryAuthenticateAsync(IServiceBase authService,
string userName, string password, CancellationToken token=default)
The password is a plain string. Is there any reason it’s not using SecureString for the password?
It’s cumbersome to work with and would break backwards compatibility. I also can’t recall ever using an API that required using a SecureString, e.g. all ASP .NET Identity Auth APIs that accept passwords like SignInManager.cs uses string as well. No other 3rd Party client I know of accepting Credentials, API Keys, Connection Strings with Passwords, etc uses SecureString.
Microsoft also recommends against its use: https://github.com/dotnet/runtime/issues/30612
Thanks, quick reply and “someone wise already thought about it” is one of the reasons why we chose SS. This is good enough for our sec-review.