Let's say it up front: There's no absolutely safe place in which critical data like a password can be stored. In normal conditions, having the password stored as plain text in a file is not a problem. However, if a successful attack occurs, your critical password will be there, ready to be stolen. If the password serves to connect to SQL Server, you might want to opt for trusted connections and Windows and SQL Server integrated security. The connection string below is the one you would use. It doesn't contain an explicit user ID and password. In fact, if you include them, they will be ignored. Windows and SQL Server work silently together to exchange and verify credentials of the logged on user. DATABASE=northwind;SERVER=myserver;TRUSTED_CONNECTION=true; In this case, you need to configure the ASP.Net account as a valid SQL Server login. Otherwise, you can store the password in a database or in a file located outside the Web application subtree. Again, this won't give you the 100 percent guarantee of inviolability, but it certainly makes it harder to hack the system. Encryption
Encrypting the password can also be helpful, since it adds another layer of complexity. But don't try to run your own encryption algorithms thinking it will be more secure. (Do not overvalue yourself!) Serious hackers can break naïve schemes in a few hours. If you opt for encryption, don't be scared to use the .Net Framework cryptography model. You don't have to be an expert to use those classes. The .Net Framework provides implementations of many standard cryptographic algorithms. To encrypt and decrypt data, you must use a key with an encryption algorithm that transforms the data. There are two main families of algorithms: symmetric and asymmetric. Symmetric algorithms have a single key and use it for both encryption and decryption. Only the sender must know the key. It travels with the data so that the data can be decrypted when it reaches the receiver. The DESCryptoServiceProvider class is an implementation of a symmetric algorithm. Asymmetric, or public key, algorithms require that both sender and receiver maintain a pair of keys: a public key and a private key. The public key can be made available to anyone and is used for encoding data that is sent to a receiver. The private key must be safely stored and is used only for decoding messages encoded with the sender's public key. Anything encrypted with the public key can be decrypted only with the companion private key. So I should first ask you to send me your public key. RSACryptoServiceProvider is an implementation of an asymmetric algorithm. Typically, symmetric encryption is performed on streams and is therefore useful to encrypt large amounts of data. Asymmetric encryption is performed on a small number of bytes and is therefore useful only for small amounts of data, such as a password.
For a weekly round-up of the enterprise IT news, sign up for the
Enterpise newsletter. Find out what's where in the new Tech Update with our
Guided Tour. Tell us what you think in the
Enterprise Mailroom.
Enterpise newsletter. Find out what's where in the new Tech Update with our
Guided Tour. Tell us what you think in the
Enterprise Mailroom.
