4

How safe is it to write the password in the web.config of an asp.net-project like this way:

<mailSettings>
    <smtp from="example@web.com">
       <network host="smtp.web.com"
        port="123"
        userName="username@web.com"
        password="12345"
        enableSsl="true"/>
     </smtp>
</mailSettings>

I'm not too familiar with internet security, so if this is not safe, are there any alternatives?

Sönke
  • 45
  • 1
  • 7
  • 3
    As long as you don't mind anybody with access to the source code or to the file system being able to see that password. Which isn't inherently a bad thing, it's really up to you. – David May 15 '18 at 13:23
  • If you have `` you will have the default error page, which, depending on the error, could show the `` part of the `web.config` file. I would avoid storing it there. – Tasos K. May 15 '18 at 13:33
  • It is a bad practice to store passwords in normal config files. Better store them in environment variables so that they don't appear in version control systems or if you deploy your application to Azure, there is a solution with a special config file (https://learn.microsoft.com/en-us/aspnet/identity/overview/features-api/best-practices-for-deploying-passwords-and-other-sensitive-data-to-aspnet-and-azure) – momo May 15 '18 at 13:52

1 Answers1

3

Look into encrypting web.config sections.

https://msdn.microsoft.com/en-us/library/bb986855.aspx

https://stackoverflow.com/a/6224769/461822

Something like

"aspnet_regiis.exe -pef "system.net/mailSettings/smtp" "C:\inetpub\wwwroot\website" -prov RSAProtectedConfigurationProvider"

Do think about <machineKey> value when deploying to a web-farm.

If you're setting <machineKey> in your web.config, you're basically giving away the key to decrypt.

So like David said in comments above if you're comfortable with sharing secrets with people that has access to your code then its fine.

If not, create a test smtp environment where you don't mind sharing credentials and put those credentials in web.config.

Or look into tools like Papercut for local testing and change the values in the web.config right before/after deploying.

Sai Puli
  • 951
  • 8
  • 12