.NET Best Practice for SQLclient Connection String - Persist Security Info

When creating an application what is the best method to use for storing a SQL connection string within a .NET application where the password is not listed in the config file?

I have set [Persist Security Info] = 'False', however I have not found an information/examples where the password can be provided back to the .NET application to establish the connect to the Database.  Any ideas?
CmitchAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

sarabandeCommented:
you would store the encrypted password in the connection string or separately (for example in the registry or in your program i availablef it never changes). generally you could use any strong decryption.

alternatively you could use a own encryption phrase which is as long as the password (minimum should be 16 characters for each). the phrase should not occur directly as a string in your code. you would x'or both the password and the phrase characters and then use a reversable transformation for the resulting characters which would move them to printable ascii (code 33 to 126) by using 2 input characters for 3 output characters (see the sample for such a transformation). the result string than can be safely stored.

is it possible to crack the code? yes, if someone get knowledge of the phrase and the transformation algorithm or if the connection string was watched in a debugger after decryption. otherwise it is impossible as you have an individual character for each password character what is the strongest you can do for a reversable encryption.

example:

password: ABCD  (65 66 67 68)
phrase:  z!0K (122 33 48 75)
xor:  (65^122) (66^33) (67^48) (68^75) = 59 99 115 15
octal:  073 143 163 017 
2 to 3: (07 31 43) (16 30 17)
+32:  (39 63 65 48 62 49)
Result: '?B0>1

Open in new window


the reverse operations are simple.

Sara
0
CmitchAuthor Commented:
Thanks Sara,

Can advise how the connection string can be updated with the decrypted password to establish the connection to the Database?  

Currently the Connection String is stored within the application settings as a 'Connection String' however this is read-only and can not be modified.  Can you please advise how I can update this or replace the connecting string.
0
ste5anSenior DeveloperCommented:
The only approach which makes some sense is to use ProtectedConfigurationProvider.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
sarabandeCommented:
using c++ you would store the connection string with a placeholder for the password like "...PWD=<password>". then after decryption you replace the placeholder by the real password.

Sara
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
.NET Programming

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.