I am creating a windows WPF application in c# using Visual Studio Community 2013 and mySQL. I'm quite new too all of this, so please excuse me if I am not making sense.
I have searched for answers on google and here on stack-overflow and have found similar questions but have not found any satisfactory answers.
I currently (for development) have the username and password for the mySQL connection stored in the settings.settings file (in plain-text) but obviously this is no good for production as it is unsecure. I am unsure how to best implement the password security.
I would usually just salt/hash the password and authenticate the user against the hash but as I need to connect to mySQL that would not work as I need to pass the password in the connection string (or is there another way?)
I wouldn't mind to have a 'Remember Password' option but I'm not opposed to requiring the user to enter their password on entry each time they open the app.
There are various ways I can see of programming this:
Store the password in plain text and send to mySQL each time I make a query. This is obviously not secure
Encrypt and store the password and unencrypt/send to mySQL each time I make a query. This is slightly less unsecure but still not great
Take the entered password, authenticate against mySQL, discard the password and keep the mySQL session open for the duration of the time that the application is running.
Salt/Hash the password to authenticate the user and once the user is authenticated connect to the database using hard coded credentials. Reverse engineering this application would give anyone the SQL credentials
Same as #4 but store an encrypted password in the database with the hash (encrypt a different password to their entered one) and unencrypt/send to mySQL in plain text. Is sending a plain text password over a local network unsecure?
A far cleverer way doing the entire thing that I couldn't think of. This is probably the right answer
So, which is it?
Thanks in advance for any answers.
