I looked into using SecureString at one point for a project that I’m working on, but didn’t find it very useful unfortunately. There’s cases like the SMO Server instantiation where it accepts it, but when establishing a regular ADO.NET connection, there’s no support for it, so then you have to pull out the clear-text password out of the SecureString and make it part of the connection string (bypassing the security benefits of it). Also, it’s easy to get a string into the SecureString, but not as easy to get the clear-text value out.
Here’s some info on that:
http://cs.rthand.com/blogs/blog_with_righthand/archive/2005/06/10/40.aspx
http://bartdesmet.net/blogs/bart/archive/2006/03/31/3851.aspx
The second guy makes a good point, that if you use the SecureString, you should only store the clear-text string for as little time as possible, and then nulling it out…but then that brings up some other issues. Also, there’s the issue of where the string resides between the time that the user enters it and the time we get it into the SecureString…we’d need to capture each character as it’s entered and append it to the securestring, to truly make it secure.
I wish they would’ve made it much more usable, as I think it’s a great direction to go towards, but right now just SMO and some of the Cryptography classes are the only ones that support it.
Here’s a control that could come in handy if you really need to use it: SecurePasswordTextBox – A textbox that uses the SecureString class (http://weblogs.asp.net/pglavich/archive/2006/02/26/439077.aspx)
Mark Allen
Another approach which works well is to have the XML tag reference a custom TFS group. In my case there is a master contributor group shared between projects so rather than list all the contributor users in the template AssignedTo list boxes I created a TFS group called ‘TeamAssignments’ and within security I referenced the team. Then in the templates I added the tag ListItem value=[project]\TeamAssignments. Now when anyone is added to the team they are displayed in the AssignedTo List box. This also means that another team can be created without changing the templates as the changes can be done in security.
TFS Team Name: Blue (example set up in security)
TFS Group Name: TeamAssignments
Members: Team Blue