.NET SecureString string extraction best practice

From a security standpoint, are all of these equivalent or is one of them better than the others from preventing prying eyes when extracting the data?  As much as possible, these are supposed to be used immediately, rather than assigning them to a standard string variable.

Dim ssPassword as New Security.SecureString

' Set SSPassword somewhere here ...

'Option 1
Runtime.InteropServices.Marshal.PtrToStringBSTR(Runtime.InteropServices.Marshal.SecureStringToBSTR(ssPassword)

'Option 2
New Net.NetworkCredential("", ssPassword).Password)))

'Option 3
Friend Function ExtractSSPassword(ss As Security.SecureString) As String
    Return Runtime.InteropServices.Marshal.PtrToStringBSTR(Runtime.InteropServices.Marshal.SecureStringToBSTR(ssPassword)
End Function

Open in new window

eeyoAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

David Johnson, CD, MVPOwnerCommented:
networkcredential is not the same as securestring it is literally plaintext
0
eeyoAuthor Commented:
I thought NetworkCredential also stored it as securestring and then extracted it to plaintext when needed.  Still not sure how secure it is compared to the Marshal method, though ...
Here is what I found:
.Net NetworkCredentials insecure password stored as plain text when using SecureString
0
David Johnson, CD, MVPOwnerCommented:
The secure string is never stored in memory unencrypted, networkcredential is plain text
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
eeyoAuthor Commented:
If I go with the Marshal method, do you think there is any additional security exposure by wrapping it in a function (as in the sample Code, Option 3)?  It be used immediately, and not assigned to another plaintext string.
0
David Johnson, CD, MVPOwnerCommented:
netcredential is used when you request a page from a web server and the username and password is required. By definition this is in plain text if using basic authentication
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
.NET Programming

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.