17

I have the following connection string:

Data Source=Paul-HP\MYDB;Initial Catalog=MyMSDBSQL;Persist Security Info=True;User ID=sa;Password=password

(.net webservice) This can obviously be viewed simply by opening up the app.config file and looking at the configuration settings.

What I need is a way to make a hacker unable to see the password. But at the same time, leave it customisable so that it can be changed when deployed on another database.

Improve this question

5 Answers 5

Reset to default
19

You have a number of options - the ones that I am aware of (in order of preference):

  1. Use integrated (SSPI) security where you don't need to include a password in the config file
  2. Encrypt the connection string (see Encrypting Configuration Information Using Protected Configuration)
  3. Store the username and password separately and use string formatting to construct the full connection string,

So for example the connection string might look like this:

Data Source=Paul-HP\MYDB;Initial Catalog=MyMSDBSQL;Persist Security Info=True;User ID={0};Password={1}

I'd go for option 1, if thats not possible then option 2. I've mentioned option 3 for completeness.

Have you read Protecting Connection Information (ADO.NET)?

Improve this answer
Sign up to request clarification or add additional context in comments.

5 Comments

Suggestion 2 looks good for a static point of view, but none of the solutions provided (by anyone) allow customisation of the connection string after compilation? Though im guessing this is not possible, as that requires them entering clear text, which is what encription is avoiding. P.s why do you edit everything but not make any changes?
@Doomsknight I just removed the "thanks" signature from the end of your post
If you want to customise the connection string then perhaps option 3 might be useful - you can then encrypt the password (and optionally the username) separately.
Ive used method 2, with the theory that I can keep a copy of the config file, and when change is needed, enter the details and encript it. Then use the newly encripted one. SSPI isnt possible for me. CHeers.
@Justin Can you give us an example of c# code abput option #3 ? Thank you
9

First of all, don't use the "SA" account. It leaves your database wide open if someone gets the password. Use a custom account which only is allowed to do CRUD operations on a specific database.

The only way to get web.config is to hack your server. And if they have done that, you're screwed anyway.

Improve this answer

5 Comments

Please motivate down votes so that I get a chance to improve my answer.
Wait but... this answer doesn't actually answer the guys question! (Not that I downvoted)
I'm not downvoted your answer but there are a lot of other possibilities to grab password from web.config not only to hack a server, for instance some virus can grab it from local development machine before deployment, or other cases. No matter how.. the question is how to encrypt password and it makes sense because the main rule regarding password propection - never keep it in plain text
Good point. thanks. There is better answers covering encryption now, so no point in adding info about it.
+1 for mentioning not to use SA :). I am only using it for development reasons but it is a very important point.
3

Probably easiest to encrypt the connection strings within the web.config or app.config

See How To: Encrypt Configuration Sections in ASP.NET 2.0 Using DPAPI

Improve this answer

Comments

2

I Suggest en/decrypting the connection string. Therefore the connection string has to be set manually.

For encryption take a look at: http://dotnet-snippets.de/dns/encrypt-and-decrypt-strings-SID205.aspx

For Custom Settings take a look at: http://msdn.microsoft.com/en-us/library/8eyb2ct1.aspx

Replace the Encrypted with the correct one at runtime:

  public static void SetAppSettingValue(string Key, string Value)
   {

   System.Configuration.Configuration config == ConfigurationManager.OpenExeConfiguration(ConfigurationUserLevel.None);
// Add an Application Setting.

 config.AppSettings.Settings[Key].Value = Value;

  // Save the changes in App.config file.

   config.Save(ConfigurationSaveMode.Modified);

    ConfigurationManager.RefreshSection("appSettings");
  }
Improve this answer

Comments

1

You could encrypt the connection string - then when you access the connection string, decrypt it. This isn't fool proof though as you're then stuck with the problem of where to store the key to decrypt the connection string!

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.