You're right -- using the contents of a SecureString
in managed code is pretty silly. However, for P/Invoke APIs such as the Windows Credential API, it's just the thing for keeping your password away from prying eyes.
Another possibility is to call Marshal.SecureStringToBSTR()
and do all your processing in unmanaged code, you can still maintain some semblance of security.