Solved

SqlConnection - How avoid hard coding password in config file.

Posted on 2008-06-12
4
334 Views
Last Modified: 2009-12-16
I have a windows app, that I have created in VB.net.  This is being deployed to a client's site, so in the properties of the SqlConnection, I am using "map property to a key in the configuration file".  
However, I really dislike that the password (unencrypted) is hard coded in the configuration file.
Is there an alternative to hard coding the password?

I really like the flexibility of defining the database in the config file, but I know my client will not accept seeing their password hard coded.

Any help greatly appreciated.
Regards,
td

HERE IS SAMPLE CONFIG FILE:

<?xml version="1.0" encoding="utf-8"?>
<configuration>
      <appSettings>
            <!--   User application and configured property settings go here.-->
            <!--   Example: <add key="settingName" value="settingValue"/> -->
            <add key="SqlConnection1.ConnectionString" value="workstation id=TOM;packet size=4096;user id=sa;data source=myPC;persist security info=True;initial catalog=myDataBase;password=PWD123" />
      </appSettings>
</configuration>
0
Comment
Question by:down0041
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
4 Comments
 
LVL 9

Expert Comment

by:Rob Siklos
ID: 21769447
You could store the password as encrypted text, which only your app knows how to decrypt.
0
 

Author Comment

by:down0041
ID: 21770580
Rob, thank you for your reply.
Sounds like a great solution.  Can you please give me a little more detail.  (ie. how exactly would you do this).  I'm not a complete newbie, but I need some more direction, or an example.

Any help greatly appreciated.
Regards,
td
0
 
LVL 9

Accepted Solution

by:
Rob Siklos earned 500 total points
ID: 21770689
First, give your application a Strong Name.  This will generate a public key pair (you should be able to find links about how to do this).

Then, add a method to your application which will encrypt a given password using the app's public key. (see System.Security.Cryptography.RSACryptoServiceProvider class)

Encrypt the password, and store that as a separate entry in the config file.  Then, when you load the connection string, also load the encrypted password and decrypt it with the app's private key.

Sorry I can't provide any code examples, but that's the basic methodology you should follow.
0
 

Author Comment

by:down0041
ID: 21770789
Rob - Thank you!
td
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article explains how to create and use a custom WaterMark textbox class.  The custom WaterMark textbox class allows you to set the WaterMark Background Color and WaterMark text at design time.   IMAGE OF WATERMARKS STEPS Create VB …
A while ago, I was working on a Windows Forms application and I needed a special label control with reflection (glass) effect to show some titles in a stylish way. I've always enjoyed working with graphics, but it's never too clever to re-invent …
How to Install VMware Tools in Red Hat Enterprise Linux 6.4 (RHEL 6.4) Step-by-Step Tutorial
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …

739 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question