0

I want to use a smpt email class in a WPF C# app

My smpt server is cloud based and I of course need my user and password.

Whilst I may be ok with saving the user for smpt server I would like to avoid putting the password in the code.

Reading up it seems that I can not retrieve the password from AD of a user due to the way it is stored. Is that correct or have I missed something?

I can think to store a password in SQL with SALT but it there a better way than this for WPF C#?

Update The links below help to secure and retrieve but I am being bit thick here I still have to put my password in the code / dll?

Is that secure?

For example

var str = "Password123"; var sc = new SecureString(); foreach(char c in str) sc.appendChar
Ian W
  • 385
  • 2
  • 10
  • 30
  • 1
    How awesome would it be to be able to retrieve the CFO's AD password to give yourself a raise? – Kenneth K. Sep 20 '18 at 20:32
  • 1
    Being able to retrieve passwords from AD would be a giant security problem. There's no way to do it since only the password hash is stored. – itsme86 Sep 20 '18 at 20:40
  • I know this sounds stupid but the links are very useful but how do I store (in securestring) the password first of all? I have to write the password. See my edit – Ian W Sep 20 '18 at 20:55
  • can you build a bridge service on the cloud that is on the same network as the SMPT server. You should be able to use default credentials at that point. Of course now you need to authenticate and secure that api call. – KCIsLearning Sep 20 '18 at 21:31
  • You may store the password in an encrypted configuration file: https://stackoverflow.com/questions/5522879/encrypt-password-in-app-config. There is no completely safe way to store a password in an application though. Whether you hard-code it in clear text or encrypt it, it can still be retrived. The most secure thing would be not to store it at all but let the user type it in on request. – mm8 Sep 21 '18 at 13:15

1 Answers1

0

You can certainly not retrive a password from AD.

You may store the password in an encrypted configuration file but note that there is no completely safe way to store a password in an application. Regardless of whether you hard-code it in clear text in your source code or encrypt it, it can still be retrieved by a malicious user. The most secure thing would be not to store the password in the application at all, but instead let the user type it in on request for example.

mm8
  • 163,881
  • 10
  • 57
  • 88