Solved

SqlConnection - How avoid hard coding password in config file.

Posted on 2008-06-12
4
333 Views
Last Modified: 2009-12-16
I have a windows app, that I have created in VB.net.  This is being deployed to a client's site, so in the properties of the SqlConnection, I am using "map property to a key in the configuration file".  
However, I really dislike that the password (unencrypted) is hard coded in the configuration file.
Is there an alternative to hard coding the password?

I really like the flexibility of defining the database in the config file, but I know my client will not accept seeing their password hard coded.

Any help greatly appreciated.
Regards,
td

HERE IS SAMPLE CONFIG FILE:

<?xml version="1.0" encoding="utf-8"?>
<configuration>
      <appSettings>
            <!--   User application and configured property settings go here.-->
            <!--   Example: <add key="settingName" value="settingValue"/> -->
            <add key="SqlConnection1.ConnectionString" value="workstation id=TOM;packet size=4096;user id=sa;data source=myPC;persist security info=True;initial catalog=myDataBase;password=PWD123" />
      </appSettings>
</configuration>
0
Comment
Question by:down0041
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
4 Comments
 
LVL 9

Expert Comment

by:Rob Siklos
ID: 21769447
You could store the password as encrypted text, which only your app knows how to decrypt.
0
 

Author Comment

by:down0041
ID: 21770580
Rob, thank you for your reply.
Sounds like a great solution.  Can you please give me a little more detail.  (ie. how exactly would you do this).  I'm not a complete newbie, but I need some more direction, or an example.

Any help greatly appreciated.
Regards,
td
0
 
LVL 9

Accepted Solution

by:
Rob Siklos earned 500 total points
ID: 21770689
First, give your application a Strong Name.  This will generate a public key pair (you should be able to find links about how to do this).

Then, add a method to your application which will encrypt a given password using the app's public key. (see System.Security.Cryptography.RSACryptoServiceProvider class)

Encrypt the password, and store that as a separate entry in the config file.  Then, when you load the connection string, also load the encrypted password and decrypt it with the app's private key.

Sorry I can't provide any code examples, but that's the basic methodology you should follow.
0
 

Author Comment

by:down0041
ID: 21770789
Rob - Thank you!
td
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you're writing a .NET application to connect to an Access .mdb database and use pre-existing queries that require parameters, you've come to the right place! Let's say the pre-existing query(qryCust) in Access takes a Date as a parameter and l…
It’s quite interesting for me as I worked with Excel using vb.net for some time. Here are some topics which I know want to share with others whom this might help. First of all if you are working with Excel then you need to Download the Following …
How to Install VMware Tools in Red Hat Enterprise Linux 6.4 (RHEL 6.4) Step-by-Step Tutorial

756 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question