web.config best pratices for passwords

[Jay Douglas]

Hello all.
I have a few different applications that store passwords for various
items in the web.config file in plain text. (i.e. SMTP Credentials, DB
connection strings) .. I know this is a pretty serious security risk,
however I'm having a hard time find a better way to allow easy modification
of user name and passwords for application components. I was wondering what
type of input other developers may have or possibly a Url containing some
good information.

Thanks in advance.

 

[Harry Simpson]

Best practice is to salt (add know alphanumeric string) and encrypt and
store somewhere such as the global.asax.vb file. Ideally using the registry
is even better.

I personally use 256bit AES encryption with part (encrypted) in web.config
and the other part in the global.asax.vb. Then when the application begins
I decrypt and build the string on demand. I leave the server IP unencrypted
so i can easily point to another server for the DB if needed.

Harry

 

[John Timney \(Microsoft MVP\)]

if the servers yours, then you can use the utilities that come ith asp.net
to provide password encryption.
http://support.microsoft.com/default.aspx?scid=kb;en-us;329290

If its not, then you will need to roll your own encryption approach using
something like an MD5hash

--
Regards

John Timney
Microsoft Regional Director
Microsoft MVP

 

[Jay Douglas]

John,
Prefect, thx a ton.