Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

security

Posted on 2006-11-23
7
Medium Priority
?
166 Views
Last Modified: 2010-04-23
There is a connection string stored in My.Settings but it only has read access to the SQL Server. It will be used just to validate the username and password entered by the operator to those stored in the DB. If validated, a new set of username and password is sent back to the user (but it is not encrypted, and I need to learn some encryption too.) Now a new connection string is created on the fly, using this new username and password. With this new connection string, the program has write access over the database.

I have that design in mind, since I don't want the username and password to be found by reverse engineering the executable. Is the above a good idea, or is it not?
0
Comment
Question by:huji
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
  • 2
7 Comments
 
LVL 15

Expert Comment

by:Solar_Flare
ID: 18004962
so the username and password will be hardcoded into your application?

if so, why not just encrypt the connectionstring and put the encrypted version of the string into your application,then decrypt it at runtime before making the connection? this way decompiling your app will only reveal the encrypted string.
0
 
LVL 14

Author Comment

by:huji
ID: 18006145
The first username and password (which has READ permission) is hardcoded. From the second connectionstring, only the database IP and catalog name are hardcoded, the rest (new username and password) comes from the SQL Server at runtime.
Your idea of encrypting these strings and decrypting them at runtime is appropriate. What encryption method do you suggest?
0
 
LVL 15

Accepted Solution

by:
Solar_Flare earned 375 total points
ID: 18006152
you can use the system.security.cryptography classes.

this page http://www.codeproject.com/dotnet/SimpleEncryption.asp should help gut you started with some encryption :)
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 14

Author Comment

by:huji
ID: 18006552
Well, I meant, should I use those basic methods, or should I use a different method which is not so well known? Does using known methods give a chance of reverse engineering them? (I know I'm doing an overkill, but I'm learning things.)
0
 
LVL 14

Author Comment

by:huji
ID: 18020728
OK. Now, is the idea of transfering a second username and password over the network a good idea, or not?
0
 
LVL 15

Assisted Solution

by:JackOfPH
JackOfPH earned 375 total points
ID: 18026156
It would be safe when you transffer the username and the password over the network if it is encrypted. But still there is a tendency that the transfer can be captured by other programs.
0

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Introduction When many people think of the WebBrowser (http://msdn.microsoft.com/en-us/library/2te2y1x6%28v=VS.85%29.aspx) control, they immediately think of a control which allows the viewing and navigation of web pages. While this is true, it's a…
If you need to start windows update installation remotely or as a scheduled task you will find this very helpful.
Do you want to know how to make a graph with Microsoft Access? First, create a query with the data for the chart. Then make a blank form and add a chart control. This video also shows how to change what data is displayed on the graph as well as form…
In response to a need for security and privacy, and to continue fostering an environment members can turn to for support, solutions, and education, Experts Exchange has created anonymous question capabilities. This new feature is available to our Pr…
Suggested Courses

715 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question