2

I am creating a windows service that has to send an email out at specific intervals to various people. I am using an account on a server that I need to connect with securely.

I found this reference: https://nimblegecko.com/how-to-store-login-details-securely-in-application-config-file/ the code I was trying to implement is this:

var configuration = ConfigurationManager.OpenExeConfiguration(Assembly.GetExecutingAssembly().Location);

configuration.AppSettings.Settings["username"].Value = EncryptString("new username", configPassword);
configuration.AppSettings.Settings["password"].Value = EncryptString("new password", configPassword);
configuration.Save();

My question is encoding the username and password as fixed text still seems to result in the same exposure as hard-coding it right?

any help would greatly be appreciated?

Tasos K.
  • 7,979
  • 7
  • 39
  • 63
Jon
  • 734
  • 1
  • 7
  • 30
  • Read the encrypted UserName/Password from the AppConfig file (Dont write into it). The process of generating & updating appconfig can be done via separate app or manually. That way you can change passwords without impacting code. – Prateek Shrivastava Jan 02 '19 at 02:49
  • This is area I have struggled in as well (using username/password within programs). The answers I see tend to be [Salt and Hash](https://stackoverflow.com/questions/2138429/hash-and-salt-passwords-in-c-sharp) and store. The running program will `salt and hash` entry and check against stored hash. May be something to look into? – Jaskier Jan 02 '19 at 02:51
  • How would I do that? I thought config files are app specific? – Jon Jan 02 '19 at 02:51

3 Answers3

3

Uhm... Don't store in AppConfig settings.

If you cannot use a database for that (storing hashed and encrypted strings) get a new file for that, you can even protect it to allow only the service user account to read/modify it, or store it on the service profile directory (its user account profile directory)

I would do it using an ini file structure more easy to read than an xml, where each line contains something like

var mergedCredential = string.Format("{0}|{1}", "user@here.com" , "P@ssw0rd");
User1HashedCredentials=EncryptString("new username", mergedCredential);

I used a pipe to "merge" the credential as you can prevent users to use it on username

When you decrypt you split by "|"

var credentials = DecryptString("new username", User1HashedCredentials);
var splitted = credentials.Split('|');
Username = splitted[0]
Password = splitted[1]

An example of ini file:

[Users]

Count=5

[SendEmailSection]

User1=dsaa$#asdasd$#@rr==

User2=dggggjh7/sd$#@rr==

User3=dsaasd"/$%asdasd$#@rr==

User4=dsas/&"dasd$#@rr==

User5=dsAa&s3dasd$#@rr==

Which is easier to mantain and modify. You can even make your own specialized ini reader/writer Read sections, split by "="

Community
  • 1
  • 1
Jorge Rojas
  • 485
  • 3
  • 10
1

I do not suggest to store credential in app.config file. if you are planned to store there then you should store with proper encryption and decryption.

for you info you can refer this link

But I would suggest you to use window credential manager to store your password for more details you can use their nuget package and their sample

Nuget

Another reference

Github

divyang4481
  • 1,584
  • 16
  • 32
0

You can find it in your app's Preferences. Right click on your project. Select add. Add .settings form. Then crate a table which contains email, password etc.

Everybody voting down my Qs.
  • 7
  • 6