0

I have 10+ legacy VB6/VB.NET applications. They establish connections to databases (ODBC/Thick client). The connections strings are all just strings in the source, plain text. My current task is to remove all occurrences of the database's password; I'm trying to decide the best approach.

What I've gathered/decided thus far:

  • Using just the app.config is not enough. The production DB password would then be in the appname.manifest.config on the user's machine.. in plain text! Unacceptable for my needs.

  • Encryption/Decryption (app.config with ConfigurationManager .NET class) on the main load/close events is an option. Is it a good one? Tim Corey says don't do it.. ugh.

  • I have all the DB passwords available on the IIS site that my web services use. They are stored in the connection strings (web.config) correctly. I am able to retrieve them from web services.. why shouldn't I use a web service to return the correct connection string? Because of security reasons - authorization and authentication.. is that solely it?

Use a web service call to return the database password, making sure your security is perfect?

Edit: You some real options when removing the password from your legacy database application:

  • Just update your password and continue the cycle. Re-publish everything :(
  • Refactor the code, and remove database operations out of the view section of your desktop code. Put it into a web-service. Do NOT write SQL within your views/forms at all costs!
  • Use a web-service to return your connection string lol. Not great - works but not recommended unless you don't feel there are enough negatives with this solution. (Authen/Authorization/Hackers/its janky/etc)
  • Use app.config and be OK with your password being in plain text. Optionally encrypt it. Salt + Hash would be GREAT! This is the ideal solution IMO if it wasn't such a huge task. <--
Dont
  • 35
  • 7

1 Answers1

1

As long as the password is required to make the connection from the desktop app, it won't be secure. Even if you store it an encrypted format or retrieve it a runtime, a determined hacker can find ways to retrieve the password from memory.

The proper way to do this is to move the database-related operations to a web service running on a secure server. The web service would then access the database as a trusted application, e.g. running as a service account with a trusted connection.

If that is too much work, and/or you're not too worried about a "determined hacker" and just want to deter curious employees, it's probably adequate to encrypt the password in the config file.

John Wu
  • 50,556
  • 8
  • 44
  • 80
  • Thanks John for the detailed response, the answer seems to be "it depends". :) I currently am looking into the web-service route first. – Dont Apr 05 '21 at 17:26
  • There is no good solution for storing passwords in client side apps. If the app can decrypt it, then any app can (often, you think you've found a solution, only to realize that now you need to protect some key material, and you end up back where you started). The only solution that works reliably is _Windows Authentication_ to the database, but that only makes sense on some cases – Flydog57 Apr 06 '21 at 02:37