4

Is it secure to have a password as a plain string in the c# code? I will only have one user that will use the login feature. Thank you.

user2864740
  • 60,010
  • 15
  • 145
  • 220
user3581054
  • 125
  • 12
  • 1
    Probably not. You should Hash and Encrypt it, event when inside code. – Elad Lachmi Jul 26 '14 at 09:08
  • 1
    No. C# code is easily decompiled to it's (near-enough) exact source. – Arran Jul 26 '14 at 09:12
  • 3
    While the answer really is "no", the issue is mitigated with code running on the server (eg ASP.NET) *if* nobody can access the assembly directly. However, code on the client - very bad place to store a secret password. There are also better ways to store passwords than *in* the code; the web.config file, for instance, supports encryption of such. – user2864740 Jul 26 '14 at 09:17
  • Im looking for the simplest way to store a password, do you have any suggestions? This site wont be exposed to any "real" threats. – user3581054 Jul 26 '14 at 09:21
  • Ref. http://stackoverflow.com/questions/20908438/how-can-i-secure-passwords-stored-inside-my-web-config-file – user2864740 Jul 26 '14 at 09:23
  • you can store it encrypted in a txt file, you can use this: https://encrypto.codeplex.com – Omu Jul 26 '14 at 09:26

2 Answers2

3

No it isn't secure, as the others have already said, it's not a complicated matter to decompile a dll etc and retrieve the source code...

Perhaps you could look into putting it an an app key in the web.config file and encrypt that using IIS... Have a read of this Microsoft walkthrough for encrypting the web.config connection string

Paul Zahra
  • 9,522
  • 8
  • 54
  • 76
1

No, it's not safe. Many decompilers like reflectors can easily retrieve the password, main reason for it is code can be easily decompiled.

user2864740
  • 60,010
  • 15
  • 145
  • 220
BlueBerry - Vignesh4303
  • 587
  • 1
  • 13
  • 36