Managing DB Access Passwords in a .NET Application?

Question

So I've been tasked with modernizing a .NET application built in Visual Studio that functions as my organization's receipt matching tool. One of the problems that sticks out the most is that it stores its passwords for non-prod AND prod database access in an app.config file, unencrypted and part of the source code stored in TFS. The connection strings look similar to this:

 <!-- DEV -->
<add name="DEV_USER" connectionString="data source=DEVDB;user id=DEV_USER;password=*Password*;" providerName="System.Data.OracleClient"/>

Any suggestions on how to manage these outside of the application while still using them within? I am also fairly new to .NET applications, so any advice is greatly appreciated.

Answer 1

If you don't want to store any passwords you can populate them at runtime:

 <add name="DEV_USER" connectionString=" ..SNIP.. password={0};" ..SNIP.. />

Then use string.Format(devConnectionString, realPassword)

Answer 2

You can use external file to hold connectionstrings for example:

Databases.xml

with encrypted content like this:

<?xml version="1.0" encoding="utf-8" ?>
<DATABASES>  
    <DataBase ConnStr="CKS27/1dfdsUJd3eKfdjvwxGUFGMtFKOWVv1FgffhGQ1uZGWk/PuPCogfOvWsYhdMWKQSfdtxg==">DBName</DataBase>  
    </DATABASES>

and use them when your code starts execution. Within that external file you can hold those connectionstrings in encrypted way and decrypt them when you need. Linq, EF and SqlConnection all support setting of ConnectionStrings from code.

For example:

doc = new XmlDocument();
            string fullFileName = System.Environment.CurrentDirectory + @"\" + "Databases.xml";
            doc.Load(fullFileName);
foreach (XmlNode node in doc.DocumentElement.ChildNodes)
            {
                if (node.InnerText == DBName)
                {
                    string currConnStr = Decrypt(node.Attributes["ConnStr"].Value);
                    return currConnStr;
                }
            }