Protecting user passwords

[Nihilistic Mystic]

I have an application, that (per the design specs given to me by my boss) must verify users domain login password on startup. The startup form is a simple username / password form and I am using the LogonUser API to verify the username and password provided.
After calling LogonUser, the returned token is set the nothing, the password and username textboxes are cleared, the login form is disposed, and the main form of my application is loaded.

The question I have is, Does this protect the users password?

On MSDN's LogonUser page it states:
"When you have finished using the password, clear the password from memory by calling the SecureZeroMemory function"

... but I cannot find any example of this function being used in anything but C++, and a VB.Net LogonUser sample I found on MSDN does not zero the memory, so is clearing the textboxes and disposing the form enough?

[kleinma]

First off, to make sure the password is "secure" while in memory in the .NET application, you should be using the securestring datatype instead of just a string.

You can then use calls in the system.runtime.interop.marshal class like SecureStringToBSTR (there are others too) to marshal the securestring datatype over the the unmanaged native type used by the LogonUser function.

There are also methods for clearing out the marshaled types in the marshal class like ZeroFreeBSTR

However if you still need to make a native call to SecureZeroMemory, then why don't you just import it using a Win32 declaration like you are already doing for the logonuser api call?