Solved

Where is the best place to put id and passwords?

Posted on 2015-01-12
7
242 Views
Last Modified: 2015-01-14
Hi, I'm using VS2010.
I created a web application and I am wondering where is the best place to store the userid and password.  Currently I have it in Web.config in the App setting section.  Well, should I just put it in my C# code?  I mean when I deploy to web server then it's in dll form?  Shouldn't that be better than web.config?  If that server is hacked then they might get to the web.config and read the password.  Thank you for your input.
0
Comment
Question by:lapucca
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
7 Comments
 
LVL 34

Expert Comment

by:Mike Eghtebas
ID: 40545202
Consider storing it in a control tag property.

or instead consider:

"Set your config files in a directory outside of public webspace , the webserver should be the owner of this directory and it should have permissions set to 700. All files it contains should be 644. This way no one can even read the file contents apart from webserver user or root.

This is a common approach, but there is a lot more to the subject as security is a very vast topic, but is better than 90% of the setups out there."
0
 

Author Comment

by:lapucca
ID: 40545260
Currently the web.config is just under the www folder of the Windows IIS web server.  I don't know what do you mean but web server is the owner.  Web server is a machine and not an account that I'm aware of.  and how to set 700 permission?  I only know if I right click a folder or file then I can click on the Security tab and set different user account to different access permission level.  Appreciate it if you can elaborate.  Thank you.
0
 
LVL 34

Assisted Solution

by:Mike Eghtebas
Mike Eghtebas earned 167 total points
ID: 40545271
lapucca,

I though I have included the link for my quote in the last post. After storing in the tag suggestion, I came across the second solution for you to take a look at:

http://stackoverflow.com/questions/6281930/what-is-the-most-accepted-method-for-hiding-password-for-connect-php-file

There is more suggestion in this link.
0
Instantly Create Instructional Tutorials

Contextual Guidance at the moment of need helps your employees adopt to new software or processes instantly. Boost knowledge retention and employee engagement step-by-step with one easy solution.

 

Author Comment

by:lapucca
ID: 40545318
Thanks but looking at that didn't really explain about permission 700 ....  Should I just leave it in the C# code instead?  Thank you.
0
 
LVL 81

Assisted Solution

by:David Johnson, CD, MVP
David Johnson, CD, MVP earned 166 total points
ID: 40545474
700 and 644 are linux/unix permission settings for windows you need to add system to the read permissions and 1 user with read/write permissions (so it can be changed) and deny i_user read/write permissions.
0
 
LVL 10

Accepted Solution

by:
Walter Padrón earned 167 total points
ID: 40545484
You better go with encryption

Connection Strings and Configuration Files
http://msdn.microsoft.com/en-us/library/ms254494%28v=vs.110%29.aspx

go to section  "Encrypting Configuration File Sections Using Protected Configuration"
0
 

Author Closing Comment

by:lapucca
ID: 40549688
I'm using IIS on Windows server.  Thank you.  I will look into encryption.
0

Featured Post

Why You Need a DevOps Toolchain

IT needs to deliver services with more agility and velocity. IT must roll out application features and innovations faster to keep up with customer demands, which is where a DevOps toolchain steps in. View the infographic to see why you need a DevOps toolchain.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Today I had a very interesting conundrum that had to get solved quickly. Needless to say, it wasn't resolved quickly because when we needed it we were very rushed, but as soon as the conference call was over and I took a step back I saw the correct …
Exception Handling is in the core of any application that is able to dignify its name. In this article, I'll guide you through the process of writing a DRY (Don't Repeat Yourself) Exception Handling mechanism, using Aspect Oriented Programming.
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…

739 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question