.NET should have a good practices guide about managing/transfer (maybe storing too) sensitive data and secrets

[DrkWzrd]

In advance, sorry for my english.

Help us make content visible

Searching about SecureString, Password, PasswordBox. And Password string fields/properties around in .net APIs. In SecureString doc we can see a warning telling us "what happen" with SecureString and discouraging about using it.

Describe the new article

We can read in some issues in runtime repo about SecureString obsolescence, Secret, ShroudedBuffer... as new alternatives, etc... But nowhere, any doc, teach or advice about how to manage passwords securely in .Net.

Workflows, classes, best practices, alternatives, common fails...

This should be linked in System.Security namespace documentation. And can be an "extra resource" or be in "learning".

Outline: -Concerns about security and secrets. -Light explanation about windows low-level sensitive data managing/certificates, etc... Or a link to existing doc. -What to use in .Net for this. -Managing passwords or sensitive data in .Net. What to do, what NOT to do. -Code examples. -Certificates/other solutions instead passwords. -Asp.Net relations/SQL Server cryptography links. -Code examples.

[tdykstra]

@Rick-Anderson Do we have a doc like this in the ASP.NET Core docs?

[Rick-Anderson]

https://docs.microsoft.com/en-us/aspnet/core/security/app-secrets is a .NET tool