SecureString – so much potential, but it fails

I looked into using SecureString at one point for a project that I’m working on, but didn’t find it very useful unfortunately.  There’s cases like the SMO Server instantiation where it accepts it, but when establishing a regular ADO.NET connection, there’s no support for it, so then you have to pull out the clear-text password out of the SecureString and make it part of the connection string (bypassing the security benefits of it).  Also, it’s easy to get a string into the SecureString, but not as easy to get the clear-text value out. 

Here’s some info on that:

http://cs.rthand.com/blogs/blog_with_righthand/archive/2005/06/10/40.aspx

http://bartdesmet.net/blogs/bart/archive/2006/03/31/3851.aspx

The second guy makes a good point, that if you use the SecureString, you should only store the clear-text string for as little time as possible, and then nulling it out…but then that brings up some other issues.  Also, there’s the issue of where the string resides between the time that the user enters it and the time we get it into the SecureString…we’d need to capture each character as it’s entered and append it to the securestring, to truly make it secure. 

I wish they would’ve made it much more usable, as I think it’s a great direction to go towards, but right now just SMO and some of the Cryptography classes are the only ones that support it.

Here’s a control that could come in handy if you really need to use it: SecurePasswordTextBox – A textbox that uses the SecureString class  (http://weblogs.asp.net/pglavich/archive/2006/02/26/439077.aspx)

About esteban

Esteban is the Founder and Chief Technologist at Nebbia Technology, an ALM consulting and Azure-powered technology company. He is a software developer with a passion for ALM, TFS, Azure, and software development best practices. Esteban is a Microsoft Visual Studio ALM MVP and ALM Ranger, Pluralsight author, and the president of ONETUG (Orlando .NET User Group).

One thought on “Error when installing SQL 2008 on Windows Server 2008 R2 (64 bit)

  1. Mark Allen

    Another approach which works well is to have the XML tag reference a custom TFS group. In my case there is a master contributor group shared between projects so rather than list all the contributor users in the template AssignedTo list boxes I created a TFS group called ‘TeamAssignments’ and within security I referenced the team. Then in the templates I added the tag ListItem value=[project]\TeamAssignments. Now when anyone is added to the team they are displayed in the AssignedTo List box. This also means that another team can be created without changing the templates as the changes can be done in security.

    TFS Team Name: Blue (example set up in security)
    TFS Group Name: TeamAssignments
    Members: Team Blue


Leave a Reply

Your email address will not be published. Required fields are marked *

Are you human? *