Solved

.NET Best Practice for SQLclient Connection String - Persist Security Info

Posted on 2014-10-27
4
328 Views
Last Modified: 2014-10-28
When creating an application what is the best method to use for storing a SQL connection string within a .NET application where the password is not listed in the config file?

I have set [Persist Security Info] = 'False', however I have not found an information/examples where the password can be provided back to the .NET application to establish the connect to the Database.  Any ideas?
0
Comment
Question by:Cmitch
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
4 Comments
 
LVL 34

Expert Comment

by:sarabande
ID: 40407834
you would store the encrypted password in the connection string or separately (for example in the registry or in your program i availablef it never changes). generally you could use any strong decryption.

alternatively you could use a own encryption phrase which is as long as the password (minimum should be 16 characters for each). the phrase should not occur directly as a string in your code. you would x'or both the password and the phrase characters and then use a reversable transformation for the resulting characters which would move them to printable ascii (code 33 to 126) by using 2 input characters for 3 output characters (see the sample for such a transformation). the result string than can be safely stored.

is it possible to crack the code? yes, if someone get knowledge of the phrase and the transformation algorithm or if the connection string was watched in a debugger after decryption. otherwise it is impossible as you have an individual character for each password character what is the strongest you can do for a reversable encryption.

example:

password: ABCD  (65 66 67 68)
phrase:  z!0K (122 33 48 75)
xor:  (65^122) (66^33) (67^48) (68^75) = 59 99 115 15
octal:  073 143 163 017 
2 to 3: (07 31 43) (16 30 17)
+32:  (39 63 65 48 62 49)
Result: '?B0>1

Open in new window


the reverse operations are simple.

Sara
0
 

Author Comment

by:Cmitch
ID: 40407929
Thanks Sara,

Can advise how the connection string can be updated with the decrypted password to establish the connection to the Database?  

Currently the Connection String is stored within the application settings as a 'Connection String' however this is read-only and can not be modified.  Can you please advise how I can update this or replace the connecting string.
0
 
LVL 34

Accepted Solution

by:
ste5an earned 500 total points
ID: 40407941
The only approach which makes some sense is to use ProtectedConfigurationProvider.
0
 
LVL 34

Expert Comment

by:sarabande
ID: 40408076
using c++ you would store the connection string with a placeholder for the password like "...PWD=<password>". then after decryption you replace the placeholder by the real password.

Sara
0

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This document covers how to connect to SQL Server and browse its contents.  It is meant for those new to Visual Studio and/or working with Microsoft SQL Server.  It is not a guide to building SQL Server database connections in your code.  This is mo…
Wouldn’t it be nice if you could test whether an element is contained in an array by using a Contains method just like the one available on List objects? Wouldn’t it be good if you could write code like this? (CODE) In .NET 3.5, this is possible…
Monitoring a network: why having a policy is the best policy? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the enormous benefits of having a policy-based approach when monitoring medium and large networks. Software utilized in this v…
Michael from AdRem Software outlines event notifications and Automatic Corrective Actions in network monitoring. Automatic Corrective Actions are scripts, which can automatically run upon discovery of a certain undesirable condition in your network.…

734 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question