5

I am trying to write an app, that will be scheduled to autodownload one page from a Sharepoint server every hour. It is an xml file. Everything works so far, except I do not like storing the password needed to connect to Sharepoint in plaintext in my app. Sample code here:

WebClient client = new WebClient();
String username = "myusername";
String password = "mypassword"
String filename = "C:\\Temp\\" + DateTime.Now.ToString("yyyyMMddHHmmssffff") + ".xml";

client.Credentials = new System.Net.NetworkCredential(username, password);
string credentials =  Convert.ToBase64String(Encoding.ASCII.GetBytes(username + ":" + password));
client.DownloadFile("myurl", filename);

Is there a way how to make it harder to read my password if someone got the executabe file from my server and disassembled it e.g. with Reflector?
I have found this: How to store passwords in Winforms application? but I did not really figure out how to use it in my app.

Community
  • 1
  • 1
Sparkye
  • 53
  • 4
  • 5
    @O.R.Mapper, I disagree completely. I see nothing open-ended about this question. He has presented his problem, and his code. Considering this is his first question, I think he's done a great job. Your comment creates an unwelcoming environment for new users. – James Hill Sep 03 '14 at 09:29
  • Your link is a little confusing... have a read of the example here http://msdn.microsoft.com/en-us/library/system.security.cryptography.protecteddata%28v=vs.110%29.aspx – Paul Zahra Sep 03 '14 at 09:29
  • 4
    @JamesHill: I am sorry I created that impression, in particular as I have read various rants just before answering here about how unwelcoming SO allegedly is. Therefore, I thought I had put extra effort into making sure that the site does not appear unwelcoming at all. I responded in a friendly tone rather than saying "you did it all wrong", I pointed out exactly what I thought could be improved, I provided a link to where I thought the OP might be better served with their problem, I did not downvote, I did not close-vote, and I pointed out that *I think* this question is not a good fit here. – O. R. Mapper Sep 03 '14 at 09:34
  • 3
    @O.R.Mapper: I think your advice is fine in tone and content (although I don't agree on the open-ended part). – Patrick Hofman Sep 03 '14 at 09:38
  • 1
    O. R. Mapper: There is nothing unfriendly on your post. Thanks for constructive comment, I will try to fit my question better next time. – Sparkye Sep 03 '14 at 11:58

2 Answers2

6

In fact you'd better not use passwords. If the service runs under the right credentials, you can use that one by using the DefaultNetworkCredentials:

So in your sample:

client.Credentials = CredentialCache.DefaultNetworkCredentials;

This will get you the credentials of the current network user, like DOMAIN\USER.

Patrick Hofman
  • 153,850
  • 22
  • 249
  • 325
  • I don't think hashing would help in this case because the password actually has to be used to perform an action, not be compared to user input. – jmcilhinney Sep 03 '14 at 09:30
  • Yes, users won't be able to see the password but neither will the password be able to be used by the application, which is why it's being stored in the first place. – jmcilhinney Sep 03 '14 at 09:34
  • No, the application can't decipher it. Hashing is one-way. The data needs to be encrypted, so that it can be decrypted. There's no dehashing, which is one of the main reason that hashing is useful. – jmcilhinney Sep 03 '14 at 09:38
  • @Patrick Hofman: This exactly did the trick. I used your code and scheduled the app to run as user who has access to the Sharepoint server. and It works. Thanks a lot. – Sparkye Sep 03 '14 at 11:41
1

If you must store the password with the app, put it in the config file and then encrypt the appropriate section(s) of that using Protected Configuration.

jmcilhinney
  • 50,448
  • 5
  • 26
  • 46
  • Is that for web.config only? this question was originally for winforms, but was removed in the edit it seems. – Paul Zahra Sep 03 '14 at 09:32
  • 1
    I think it was created for ASP.NET applications but it will work with any config file, e.g. http://www.vbforums.com/showthread.php?532768-NET-2-0-Protected-Configuration-%28Encrypting-Config-Files%29. That code is VB but demonstrates the principle. – jmcilhinney Sep 03 '14 at 09:36