I am currently storing the user password in a SecureString. Which is also kept around in case the connection to the DB resets.
My problem is, I'm trying to pass this password to an OracleParamater, but I'm not sure if it supports it or not.
Does Oracle's Oracle.DataAccess dll support SecureString or BStr? Since If I have to convert it to a string then that would kinda defeat the purpose of SecureString.
--- EDIT
I know that SecureString is about reducing the attack surface by keeping as few copies of the password around unencrypted as possible. The problem is at some point you ofcourse have to decrypt the password to use it. If I could pass a char[] or a BStr or the secure string itself in an OracleParameter then I could clear it after the call returns. But If I have to create a string in order to pass it to Oracle, then I've just created a new immutable copy of the password. So I'm not really sure I gained much then.
No - AFAIK what you ask is not supported...
BUT even if it were supported the security issue would remain since the Oracle driver used (OCI) is native and does not know anything about SecureString thus it will handle the value internally without encryption which in turn means that this value can end up for example unencrypted in the swap file...
It would be a bit more secure if what you ask were supported on the .NET side of things but merely so...
IF you really need that level of security I would recommend redesigning that part of your software to use encrypted values in a way that the server-side (Oracle DB) of things does not require "plain text" but works with the encrypted values...
SecureString is an in-memory holder of your private information.
The reason it was implemented, is that if you use simple string for holding user private information, even after you no more reference that object and it was already garbage collected, it's potentially possible that hacker-code by executing dump of your process memory could still access a data available in that memory location, so access the private information.
In case of SecureString, instead, that location will be erased so even on memory dump you will not see anything related to the string used in your code.
As suggested by Yahia, if you concern about connection security or data transmisson security, use secure connection for that purpose.
