I have an application with a "secret" (eg password)
I don't want to store this secret locally in a user-accessible context file, so I'm planning to retrieve it on-demand from the server over HTTPS
I also don't want it visible in memory (eg from a crash log), for obvious reasons, so I'm storing the secret in a SecureString
However, when I serialise the SecureString, the result just shows the length of the plaintext string, eg {"Length":4}
If I transmit the password in plaintext, though, then it will be visible in the retrieved JSON in memory, even if subsequently store it in a SecureString
Is there any way to serialize a SecureString, or to receive the JSON and convert a plaintext string to a SecureString without needing an intermediate regular String that would be stored in memory?
In this scenario, I have to store/send the actual password, rather than, for example, a one-time-use key as I'd prefer: that's beyond my control here. I need the actual plaintext password to access another service, so the usual "Hash it then compare the hash" doesn't apply either