web.config best pratices for passwords

Jay Douglas · Mar 23, 2004

Hello all.
I have a few different applications that store passwords for various
items in the web.config file in plain text. (i.e. SMTP Credentials, DB
connection strings) .. I know this is a pretty serious security risk,
however I'm having a hard time find a better way to allow easy modification
of user name and passwords for application components. I was wondering what
type of input other developers may have or possibly a Url containing some
good information.

Thanks in advance.

Harry Simpson · Mar 23, 2004

Best practice is to salt (add know alphanumeric string) and encrypt and
store somewhere such as the global.asax.vb file. Ideally using the registry
is even better.

I personally use 256bit AES encryption with part (encrypted) in web.config
and the other part in the global.asax.vb. Then when the application begins
I decrypt and build the string on demand. I leave the server IP unencrypted
so i can easily point to another server for the DB if needed.

Harry

John Timney \(Microsoft MVP\) · Mar 23, 2004

if the servers yours, then you can use the utilities that come ith asp.net
to provide password encryption.
http://support.microsoft.com/default.aspx?scid=kb;en-us;329290

If its not, then you will need to roll your own encryption approach using
something like an MD5hash

--
Regards

John Timney
Microsoft Regional Director
Microsoft MVP

Jay Douglas · Mar 24, 2004

John,
Prefect, thx a ton.

Deploy without overwriting Web.Config	4	Jan 17, 2007
Authenticate Users In Web.Config?	1	Sep 16, 2006
Best Pratices to Develop three tier Web Site	1	Dec 2, 2009
Web.config problem	5	Feb 5, 2008
Dev and production web.configs	1	Jun 26, 2009
encryption in web.config	2	Nov 28, 2004
Help with Web.config	1	Jan 21, 2009
MailSettings code generates VS2005 error in web.config	3	Apr 30, 2007

web.config best pratices for passwords

Jay Douglas

Harry Simpson

John Timney \(Microsoft MVP\)

Jay Douglas

Ask a Question

Similar Threads