?
Solved

Where is the best place to put id and passwords?

Posted on 2015-01-12
7
Medium Priority
?
255 Views
Last Modified: 2015-01-14
Hi, I'm using VS2010.
I created a web application and I am wondering where is the best place to store the userid and password.  Currently I have it in Web.config in the App setting section.  Well, should I just put it in my C# code?  I mean when I deploy to web server then it's in dll form?  Shouldn't that be better than web.config?  If that server is hacked then they might get to the web.config and read the password.  Thank you for your input.
0
Comment
Question by:lapucca
7 Comments
 
LVL 34

Expert Comment

by:Mike Eghtebas
ID: 40545202
Consider storing it in a control tag property.

or instead consider:

"Set your config files in a directory outside of public webspace , the webserver should be the owner of this directory and it should have permissions set to 700. All files it contains should be 644. This way no one can even read the file contents apart from webserver user or root.

This is a common approach, but there is a lot more to the subject as security is a very vast topic, but is better than 90% of the setups out there."
0
 

Author Comment

by:lapucca
ID: 40545260
Currently the web.config is just under the www folder of the Windows IIS web server.  I don't know what do you mean but web server is the owner.  Web server is a machine and not an account that I'm aware of.  and how to set 700 permission?  I only know if I right click a folder or file then I can click on the Security tab and set different user account to different access permission level.  Appreciate it if you can elaborate.  Thank you.
0
 
LVL 34

Assisted Solution

by:Mike Eghtebas
Mike Eghtebas earned 668 total points
ID: 40545271
lapucca,

I though I have included the link for my quote in the last post. After storing in the tag suggestion, I came across the second solution for you to take a look at:

http://stackoverflow.com/questions/6281930/what-is-the-most-accepted-method-for-hiding-password-for-connect-php-file

There is more suggestion in this link.
0
Never miss a deadline with monday.com

The revolutionary project management tool is here!   Plan visually with a single glance and make sure your projects get done.

 

Author Comment

by:lapucca
ID: 40545318
Thanks but looking at that didn't really explain about permission 700 ....  Should I just leave it in the C# code instead?  Thank you.
0
 
LVL 85

Assisted Solution

by:David Johnson, CD, MVP
David Johnson, CD, MVP earned 664 total points
ID: 40545474
700 and 644 are linux/unix permission settings for windows you need to add system to the read permissions and 1 user with read/write permissions (so it can be changed) and deny i_user read/write permissions.
0
 
LVL 10

Accepted Solution

by:
Walter Padrón earned 668 total points
ID: 40545484
You better go with encryption

Connection Strings and Configuration Files
http://msdn.microsoft.com/en-us/library/ms254494%28v=vs.110%29.aspx

go to section  "Encrypting Configuration File Sections Using Protected Configuration"
0
 

Author Closing Comment

by:lapucca
ID: 40549688
I'm using IIS on Windows server.  Thank you.  I will look into encryption.
0

Featured Post

Never miss a deadline with monday.com

The revolutionary project management tool is here!   Plan visually with a single glance and make sure your projects get done.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

High user turnover can cause old/redundant user data to consume valuable space. UserResourceCleanup was developed to address this by automatically deleting user folders when the user account is deleted.
Simulator games are perfect for generating sample realistic data streams, especially for learning data analysis. It is even useful for demoing offerings such as Azure stream analytics, PowerBI etc.
Stellar Phoenix SQL Database Repair software easily fixes the suspect mode issue of SQL Server database. It is a simple process to bring the database from suspect mode to normal mode. Check out the video and fix the SQL database suspect mode problem.
Get the source code for a fully functional Access application shell with several popular security features that Access VBA application developers desire, but find difficult or impossible to figure out how to code. You get the source code for managi…
Suggested Courses

601 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question