It has become almost a habit for many developers to use System.String to store sensitive information such as passwords. The problem with this approach is that System.String is immutable. This means that the object created in memory by System.String can't be changed. If you modify the variable, a new object is created in memory. You also cannot determine when the object created by System.String will be removed from memory during garbage collection. Conversely, using the SecureString object, you will encrypt sensitive information and, when that object is no longer needed, it is deleted from memory. SecureString encrypts and decrypts your sensitive data in unmanaged memory.

Now, I need to be clear regarding one thing here. SecureString is by no means foolproof. If your system contains a virus with the sole purpose of compromising the SecureString operations, using it doesn't help much (be sure to use proper anti-virus software anyway). At some point during the code execution, the string representation of your password (or sensitive information) is visible. Secondly, if a hacker somehow found a way to inspect your heap or log your key strokes, the password might be visible. The use of SecureString, however, makes this window of opportunity for a hacker much smaller. The window of opportunity reduces because there are less attack vectors (points of entry for a hacker) thereby reducing your attack surface (sum of all points of attack by a hacker).

The bottom line is this: SecureString is there for a reason. As a software developer concerned about security, you should be using SecureString.