473,503 Members | 11,018 Online
Bytes | Software Development & Data Engineering Community
+ Post

Home Posts Topics Members FAQ

xml password storage

Hi all,

I know storing passwords in an xml document is a pretty bad idea, but
what are your thoughts on storing the passwords in an xml file on a
secure server where I am the only person with access rights to the
directory it is in? Would such a thing be ok? The app simply pulls db
connection info from an xml file and then makes modifications to the
data in the db periodically. It will be sat on a live server outside of
the web root, so unless someone hacks the server, it should be
inaccessible. Also, the db account it uses has the minimum access
rights to needed.

Aug 8 '06 #1
2 1871
You say "unless someone hacks the server, it should be inaccessible".

Because, you know, I have ^never^ heard of a web server being hacked.

It's a bad idea. Don't do it. If anything use the Data Protection API
that is offered in Windows to store this information. You can find
information on using DPAPI in the following blog entry:

http://blogs.msdn.com/shawnfa/archiv...05/126825.aspx

Hope this helps.

--
- Nicholas Paldino [.NET/C# MVP]
- mv*@spam.guard.caspershouse.com

"^MisterJingo^" <mi*********@gmail.comwrote in message
news:11**********************@n13g2000cwa.googlegr oups.com...
Hi all,

I know storing passwords in an xml document is a pretty bad idea, but
what are your thoughts on storing the passwords in an xml file on a
secure server where I am the only person with access rights to the
directory it is in? Would such a thing be ok? The app simply pulls db
connection info from an xml file and then makes modifications to the
data in the db periodically. It will be sat on a live server outside of
the web root, so unless someone hacks the server, it should be
inaccessible. Also, the db account it uses has the minimum access
rights to needed.

Aug 8 '06 #2
Nicholas Paldino [.NET/C# MVP] wrote:
You say "unless someone hacks the server, it should be inaccessible".

Because, you know, I have ^never^ heard of a web server being hacked.

It's a bad idea. Don't do it. If anything use the Data Protection API
that is offered in Windows to store this information. You can find
information on using DPAPI in the following blog entry:

http://blogs.msdn.com/shawnfa/archiv...05/126825.aspx

Hope this helps.
Thanks Nicholas,

I'll take a look at the link. The reason I said this is, on most
servers each web application stores its connectionstrings in the
web.config file, so if the server got hacked, most passwords would be
availible anyway (not that this is a good thing!).

Aug 8 '06 #3

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics
4
6045
Minimum & Maximum for username/password
by: Lobang Trader | last post by:
Hi all, I am trying to create a username and a password class. I would like to know what are the RECOMMENDED minimum and maximum length for both fields? These fields will be something like...
Java
14
2909
General Password questions
by: Todd Johnson | last post by:
I am creating a dialog in wxPython for log in purposes. Basically when the user clicks the ok button, the dialog box saves the user name and password as class attributes. Then as long as the...
Python
0
2934
Multi-User Password Database (Password Storage)
by: Bright | last post by:
Dear All I'm after a multi-User password database so that I can centrally store system passwords and give granular access to individuals based on their own unique authentication (possibly a...
Oracle Database
5
4489
Where/How to Securely Store ID and Password?
by: Guadala Harry | last post by:
What are my options for *securely* storing/retrieving the ID and password used by an ASP.NET application for accessing a SQL Server (using SQL Server authentication)? Please note that this ID and...
ASP.NET
4
5536
one way password encryption
by: PJones | last post by:
I am looking for the best way to one way encrypt a password for storage in a database using (asp.net / vb.net) basically I need some functions or examples that I can freely use in a commercial...
Visual Basic .NET
26
5437
Salt in encrypted password in pg_shadow
by: David Garamond | last post by:
I read that the password hash in pg_shadow is salted with username. Is this still the case? If so, since probably 99% of all PostgreSQL has "postgres" as the superuser name, wouldn't it be better...
PostgreSQL Database
26
5523
Multi-user Password Database Solutions?
by: beporter | last post by:
First time poster here! Let me get straight to it... I'm currently not in a position that lets me interact with other developers face to face on a regular basis, and I am in need of some "round...
General
11
15589
Clear Password String in C# Compiled Code
by: cooltoriz | last post by:
Hello there, I just found that the compiled code won't hide the string variables so that I can see them by opening the execuable using Notepad. I have couple applications that have password...
C# / C Sharp
6
3452
Possible to retrieve password of current application pool
by: Dylan Nicholson | last post by:
Running as an administrator, I can retrieve the account password stored by IIS for any application pool (using the WAMUserPass property). But, unsurprisingly, an ASP.NET application running inside...
ASP.NET
5
3509
Embed username/password/etc. in exe at install time.
by: jehugaleahsa | last post by:
Hello: We have a request for an console application to change the administrative password on our user's machines during an upcoming update. The console application will be called from a batch...
C# / C Sharp
0
7207
marktang
What is ONU?
by: marktang | last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However,...
General
0
7095
Changing the language in Windows 10
by: Hystou | last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can...
Windows Server
0
7294
Oralloy
Problem With Comparison Operator <=> in G++
by: Oralloy | last post by:
Hello folks, I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>". The problem is that using the GNU compilers,...
C / C++
0
7361
jinu1996
Maximizing Business Potential: The Nexus of Website Design and Digital Marketing
by: jinu1996 | last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven...
Online Marketing
1
7015
The easy way to turn off automatic updates for Windows 10/11
by: Hystou | last post by:
Overview: Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows...
Windows Server
1
5026
isladogs
Access Europe - Using VBA to create a class based on a table - Wed 1 May
by: isladogs | last post by:
The next Access Europe User Group meeting will be on Wednesday 1 May 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM). In this session, we are pleased to welcome a new...
Microsoft Access / VBA
0
3183
Trying to create a lan-to-lan vpn between two differents networks
by: TSSRALBI | last post by:
Hello I'm a network technician in training and I need your help. I am currently learning how to create and manage the different types of VPNs and I have a question about LAN-to-LAN VPNs. The...
Networking - Hardware / Configuration
0
1523
transfer the data from one system to another through ip address
by: 6302768590 | last post by:
Hai team i want code for transfer the data from one system to another through IP address by using C# our system has to for every 5mins then we have to update the data what the data is updated ...
C# / C Sharp
1
749
muto222
How to add payments to a PHP MySQL app.
by: muto222 | last post by:
How can i add a mobile payment intergratation into php mysql website.
PHP

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.

BYTES.COM © 2024
About Bytes
Terms Of Use
Privacy Policy
Sitemap
Advertise on Bytes
How to Post and Respond on Bytes
How to Promote and Link on Bytes
How to increase your Ranking on Bytes
Become a Recognized Expert on Bytes
Feedback Welcomed! Contact Us