I am creating a .NET core webapp in C# that takes in a user password and hashes it to be stored on a server. I'm using Rfc2898DeriveBytes
along with a randomly generated salt. I've read, however, that I should avoid using strings in the entire process since strings cannot be removed from memory. I know that .NET core has a PasswordBox
that keeps the password as a SecureString
, but SecureString
s cannot be converted to a byte array to be passed to Rfc2898DeriveBytes
's constructor without a great deal of shenanigans.
Since the webapp is only going to run on my server, can I just convert the SecureString
back to a string as soon as it has been passed into my webapp? If an attacker manages to access the server's RAM to search for an undeleted string, there's probably very little I can do to protect anything to begin with.
If I should still go through with using SecureStrings
, what are the best practices for hashing it to be stored?