All of the examples I have seen end up converting a SecureString back to a standard string before using it, defeating the object. What's a good way of using a secure string without this problem?
I know I can marshall the SecureString to a BSTR but what can I do with this BSTR? Can I get the characters back one at a time? If so, how?
I think the MSDN Page describing the SecureString says it best:
Represents text that should be kept confidential.
SecureStrings are not meant to be used like strings. They are meant to be limited-access holders of information that should be subject to increased security.
If you want to modify the contents of a SecureString, all of the necessary methods are there. However, if you need to get the value of the secure string, you must ToString() as no other methods are exposed to do this.
In other words, don't use SecureStrings like strings.
This link includes a lot of helpful information, including how to get an unmanaged memory block for passing the string to native code (that is presumably also secure), a BCL class that uses it, and links to a couple examples:
http://bartdesmet.net/blogs/bart/archive/2006/03/31/3851.aspx
The main thing is that it's not really used that much yet, but you are free to make your own libraries that rely on it.