What is the best solution to not have a password for a database connection string for example in a config file, or a mail account password to send mails automatically ?
Thanks
Asked
Active
Viewed 418 times
0
-
2for sql: use windows accounts, not sql accounts – Jamiec Jun 16 '16 at 15:38
-
the credentials have to be stored SOMEWHERE, basically. pick the one that makes most sense to you and go with it. – Marc B Jun 16 '16 at 15:51
-
If you don't want to hardcode a password into the application, then one thing you can do is ask the user for it when you need it instead. – Dave Cousineau Jun 16 '16 at 16:01
3 Answers
2
You may use encription, but the password has to be stored somewhere. If you're using SQL server, use Windows authentication instead
Luca Mozzo
- 892
- 2
- 8
- 20
-
For example I Have in my application a database connection, and the connection string is in app.config, and a functionnality to send mail and in the SmtpClient Class, the password is in the code like this : Credentials = new NetworkCredential("mailAdress", "password") – user1069516 Jun 16 '16 at 15:50
-
Are you using MS SQL Server or another service? If you're using it, when you set it up on Visual Studio, it asks you whether to use a user-defined password or Windows authentication @user1069516 – Luca Mozzo Jun 16 '16 at 16:11
-
I can't use windows authentication because my application host wcf services on a web server in a DMZ. – user1069516 Jun 17 '16 at 08:55
0
It doesn't matter where you save it, but I would save it somewhere inside the code (hardcoded) and then encrypt the password AND the user with (example) AESThenHMAC, which i personally like very much.
However, this method of encryption, needs a master key, which may be caught using a reflector.
To counter the reflector, you should obfuscate your code which makes your methods/variables/constants etc harder to read.
But, keep in mind that nothing is 100% secure, but this way you prevent the common curious from getting your credentials.
If someone really wants to get those credentials, and has the knowledge and access to the dll's, he may get it and you are only making him to waste more time.
Free obfuscation tools (.NET) (Source):
Community
- 1
- 1
Leandro Soares
- 2,902
- 2
- 27
- 39
0
You can use a password manager such as Passwordstate (from https://www.clickstudios.com.au).
Your credentials are stored securely in an on-premises server, and you access them via a REST API. All that you have in your code is the information to access the REST API, and if you're paranoid about having even that in your code then you could encrypt it.
sheppe
- 708
- 5
- 12