Version 1.8 introduces the use of SecureString to store passwords securely, but there are still a few places where the SecureString is being converted back to a regular string. For best security, once a password has been converted to a SecureString it should never be converted back. This requires implementing password hashing differently.

Also, the new implementation of password hashing should handle non-ASCII characters in passwords correctly by encoding the password to UTF8 before hashing it. This requires some custom UTF8 encoding logic because the standard UTF8Encoding classes only works with standard strings.