放置 String ，您将重新介绍使用此处列出的字符串的问题:

In placing the contents of a SecureString back into a String, you reintroduce the problems of using strings that are listed out here:

http://blogs.msdn.com/shawnfa/archive/2004/05/27/143254.aspx

使用SecureString，提供了将内容封送到非托管内存中的选项，以便您可以访问数据，然后在处理完数据后处置.

With SecureString, there are options that are provided to marshal the contents into unmanaged memory so you can access the data and then dispose of the data when done with it.

这些是托管代码所没有的选项.在处理非托管字节时，您可以将内存清零，确保未将其分页到磁盘等，这正是您要在此处减少攻击面的方式.

These are options you just don't have with managed code. In working with unmanaged bytes, you can zero out the memory, make sure it's not paged to disk, etc, etc, which is exactly what you want to do to reduce the attack surface here.

这里的关键是不创建另一个String实例，并以一种更易于管理安全性的方式处理数据(不幸的是，非托管代码是正确的)现在).

The key here is to not make another instance of String and work with the data in a way where security is easier to manage when dealing with this data (which unfortunately, is unmanaged code right now).