Where to store the DB password in a asp.net app?

Hi Darren,

If you use Integrated authentication, you'd be fairly safe in the
web.config.

Otherwise, people use the methods you outlined. This article shows some
ideas:

HOW TO: Use the ASP.NET Utility to Encrypt Credentials and Session State
Connection Strings

http://support.microsoft.com/default...b;en-us;329290

"Darren Clark" <dc******@hotmail.com> wrote in message
news:Gi*****************@news-server.bigpond.net.au...
Basically i am curious as to where everyone stores there database details
for ASP.NET apps?

When developing controls i usually stored it in the web.config file.
Then i move it to a internal private property that is only acessable from my
DB classes.

What other methods do people use?

Encryption and then store in the webconfig? or registry? or encrypt then
registry?

Hi Darren,

This is a little bit custom, but I use a special Configuration class that
supports encryption of specified fields (among other things). I can then
store an encryption key inside of the compiled code somewhere as the key to
decrypt the encoded configuration keys.

There's more info on this solution here:

http://www.west-wind.com/presentatio...ationclass.asp
+++ Rick

--

Rick Strahl
West Wind Technologies
http://www.west-wind.com/
http://www.west-wind.com/weblog/
----------------------------------
Making waves on the Web
"Darren Clark" <dc******@hotmail.com> wrote in message
news:Gi*****************@news-server.bigpond.net.au...
Basically i am curious as to where everyone stores there database details
for ASP.NET apps?

When developing controls i usually stored it in the web.config file.
Then i move it to a internal private property that is only acessable from my
DB classes.

What other methods do people use?

Encryption and then store in the webconfig? or registry? or encrypt then
registry?

Personally, I have a 'webuser' account with limited privileges (can only run certain stored procedures necessary to run the web application, doesn't even need 'select' access to tables), the password for this is then stored in the connection string in the registry. Yes, admittedly, a user who had access to log onto the webserver could technically glean the password and log on through QA and run some stored procedures. But wa-hey! great. They'd have to know the name of the SP, and even then they'd only be able to see as much data as it showed them. Remember a user can have 'execute' permissions on stored procedure 'sp_X' that reads some of or all of table 't_Y', without having 'select' permissions on t_Y
This is in my opinion the best way to control access to data

For situations where people need to use their own username and password from a fat-client app, I have a DLL on a file server (Windows DLL, written in C++) that exposes APIs to encrypt the password to the registry and retrieve it, the encryption key being compiled into the DLL so it can't be known. It could probably be hacked by an experienced cryptographer, but not by the average layman who knows how to browse 'warez' sites for "vba crackers", etc.