Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 350
  • Last Modified:

SqlConnection - How avoid hard coding password in config file.

I have a windows app, that I have created in VB.net.  This is being deployed to a client's site, so in the properties of the SqlConnection, I am using "map property to a key in the configuration file".  
However, I really dislike that the password (unencrypted) is hard coded in the configuration file.
Is there an alternative to hard coding the password?

I really like the flexibility of defining the database in the config file, but I know my client will not accept seeing their password hard coded.

Any help greatly appreciated.
Regards,
td

HERE IS SAMPLE CONFIG FILE:

<?xml version="1.0" encoding="utf-8"?>
<configuration>
      <appSettings>
            <!--   User application and configured property settings go here.-->
            <!--   Example: <add key="settingName" value="settingValue"/> -->
            <add key="SqlConnection1.ConnectionString" value="workstation id=TOM;packet size=4096;user id=sa;data source=myPC;persist security info=True;initial catalog=myDataBase;password=PWD123" />
      </appSettings>
</configuration>
0
down0041
Asked:
down0041
  • 2
  • 2
1 Solution
 
Rob SiklosCommented:
You could store the password as encrypted text, which only your app knows how to decrypt.
0
 
down0041Author Commented:
Rob, thank you for your reply.
Sounds like a great solution.  Can you please give me a little more detail.  (ie. how exactly would you do this).  I'm not a complete newbie, but I need some more direction, or an example.

Any help greatly appreciated.
Regards,
td
0
 
Rob SiklosCommented:
First, give your application a Strong Name.  This will generate a public key pair (you should be able to find links about how to do this).

Then, add a method to your application which will encrypt a given password using the app's public key. (see System.Security.Cryptography.RSACryptoServiceProvider class)

Encrypt the password, and store that as a separate entry in the config file.  Then, when you load the connection string, also load the encrypted password and decrypt it with the app's private key.

Sorry I can't provide any code examples, but that's the basic methodology you should follow.
0
 
down0041Author Commented:
Rob - Thank you!
td
0

Featured Post

Get your problem seen by more experts

Be seen. Boost your question’s priority for more expert views and faster solutions

  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now