16

I have the following connection string:

Data Source=Paul-HP\MYDB;Initial Catalog=MyMSDBSQL;Persist Security Info=True;User ID=sa;Password=password

(.net webservice) This can obviously be viewed simply by opening up the app.config file and looking at the configuration settings.

What I need is a way to make a hacker unable to see the password. But at the same time, leave it customisable so that it can be changed when deployed on another database.

Justin
  • 84,773
  • 49
  • 224
  • 367
IAmGroot
  • 13,760
  • 18
  • 84
  • 154

5 Answers5

19

You have a number of options - the ones that I am aware of (in order of preference):

  1. Use integrated (SSPI) security where you don't need to include a password in the config file
  2. Encrypt the connection string (see Encrypting Configuration Information Using Protected Configuration)
  3. Store the username and password separately and use string formatting to construct the full connection string,

So for example the connection string might look like this:

Data Source=Paul-HP\MYDB;Initial Catalog=MyMSDBSQL;Persist Security Info=True;User ID={0};Password={1}

I'd go for option 1, if thats not possible then option 2. I've mentioned option 3 for completeness.

Have you read Protecting Connection Information (ADO.NET)?

Justin
  • 84,773
  • 49
  • 224
  • 367
  • Suggestion 2 looks good for a static point of view, but none of the solutions provided (by anyone) allow customisation of the connection string after compilation? Though im guessing this is not possible, as that requires them entering clear text, which is what encription is avoiding. P.s why do you edit everything but not make any changes? – IAmGroot Sep 28 '11 at 11:02
  • 2
    @Doomsknight [I just removed the "thanks" signature from the end of your post](http://meta.stackexchange.com/questions/2950/should-hi-thanks-taglines-and-salutations-be-removed-from-posts) – Justin Sep 28 '11 at 11:12
  • If you want to customise the connection string then perhaps option 3 might be useful - you can then encrypt the password (and optionally the username) separately. – Justin Sep 28 '11 at 11:13
  • Ive used method 2, with the theory that I can keep a copy of the config file, and when change is needed, enter the details and encript it. Then use the newly encripted one. SSPI isnt possible for me. CHeers. – IAmGroot Sep 28 '11 at 13:02
  • @Justin Can you give us an example of c# code abput option #3 ? Thank you – A. Zalonis Feb 29 '16 at 09:27
9

First of all, don't use the "SA" account. It leaves your database wide open if someone gets the password. Use a custom account which only is allowed to do CRUD operations on a specific database.

The only way to get web.config is to hack your server. And if they have done that, you're screwed anyway.

jgauffin
  • 99,844
  • 45
  • 235
  • 372
  • 2
    Please motivate down votes so that I get a chance to improve my answer. – jgauffin Sep 28 '11 at 10:35
  • 2
    Wait but... this answer doesn't actually answer the guys question! (Not that I downvoted) – Justin Sep 28 '11 at 10:38
  • 2
    I'm not downvoted your answer but there are a lot of other possibilities to grab password from web.config not only to hack a server, for instance some virus can grab it from local development machine before deployment, or other cases. No matter how.. the question is how to encrypt password and it makes sense because the main rule regarding password propection - `never keep it in plain text` – sll Sep 28 '11 at 10:38
  • Good point. thanks. There is better answers covering encryption now, so no point in adding info about it. – jgauffin Sep 28 '11 at 10:43
  • 2
    +1 for mentioning not to use SA :). I am only using it for development reasons but it is a very important point. – IAmGroot Sep 28 '11 at 10:48
3

Probably easiest to encrypt the connection strings within the web.config or app.config

See How To: Encrypt Configuration Sections in ASP.NET 2.0 Using DPAPI

Justin
  • 84,773
  • 49
  • 224
  • 367
ChrisBint
  • 12,773
  • 6
  • 40
  • 62
2

I Suggest en/decrypting the connection string. Therefore the connection string has to be set manually.

For encryption take a look at: http://dotnet-snippets.de/dns/encrypt-and-decrypt-strings-SID205.aspx

For Custom Settings take a look at: http://msdn.microsoft.com/en-us/library/8eyb2ct1.aspx

Replace the Encrypted with the correct one at runtime:

  public static void SetAppSettingValue(string Key, string Value)
   {

   System.Configuration.Configuration config == ConfigurationManager.OpenExeConfiguration(ConfigurationUserLevel.None);
// Add an Application Setting.

 config.AppSettings.Settings[Key].Value = Value;

  // Save the changes in App.config file.

   config.Save(ConfigurationSaveMode.Modified);

    ConfigurationManager.RefreshSection("appSettings");
  }
IAmGroot
  • 13,760
  • 18
  • 84
  • 154
oberfreak
  • 1,799
  • 13
  • 20
1

You could encrypt the connection string - then when you access the connection string, decrypt it. This isn't fool proof though as you're then stuck with the problem of where to store the key to decrypt the connection string!

Martin Clarke
  • 5,636
  • 7
  • 38
  • 58