Solved

Where is the best place to put id and passwords?

Posted on 2015-01-12
7
244 Views
Last Modified: 2015-01-14
Hi, I'm using VS2010.
I created a web application and I am wondering where is the best place to store the userid and password.  Currently I have it in Web.config in the App setting section.  Well, should I just put it in my C# code?  I mean when I deploy to web server then it's in dll form?  Shouldn't that be better than web.config?  If that server is hacked then they might get to the web.config and read the password.  Thank you for your input.
0
Comment
Question by:lapucca
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
7 Comments
 
LVL 34

Expert Comment

by:Mike Eghtebas
ID: 40545202
Consider storing it in a control tag property.

or instead consider:

"Set your config files in a directory outside of public webspace , the webserver should be the owner of this directory and it should have permissions set to 700. All files it contains should be 644. This way no one can even read the file contents apart from webserver user or root.

This is a common approach, but there is a lot more to the subject as security is a very vast topic, but is better than 90% of the setups out there."
0
 

Author Comment

by:lapucca
ID: 40545260
Currently the web.config is just under the www folder of the Windows IIS web server.  I don't know what do you mean but web server is the owner.  Web server is a machine and not an account that I'm aware of.  and how to set 700 permission?  I only know if I right click a folder or file then I can click on the Security tab and set different user account to different access permission level.  Appreciate it if you can elaborate.  Thank you.
0
 
LVL 34

Assisted Solution

by:Mike Eghtebas
Mike Eghtebas earned 167 total points
ID: 40545271
lapucca,

I though I have included the link for my quote in the last post. After storing in the tag suggestion, I came across the second solution for you to take a look at:

http://stackoverflow.com/questions/6281930/what-is-the-most-accepted-method-for-hiding-password-for-connect-php-file

There is more suggestion in this link.
0
MS Dynamics Made Instantly Simpler

Make Your Microsoft Dynamics Investment Count  & Drastically Decrease Training Time by Providing Intuitive Step-By-Step WalkThru Tutorials.

 

Author Comment

by:lapucca
ID: 40545318
Thanks but looking at that didn't really explain about permission 700 ....  Should I just leave it in the C# code instead?  Thank you.
0
 
LVL 82

Assisted Solution

by:David Johnson, CD, MVP
David Johnson, CD, MVP earned 166 total points
ID: 40545474
700 and 644 are linux/unix permission settings for windows you need to add system to the read permissions and 1 user with read/write permissions (so it can be changed) and deny i_user read/write permissions.
0
 
LVL 10

Accepted Solution

by:
Walter Padrón earned 167 total points
ID: 40545484
You better go with encryption

Connection Strings and Configuration Files
http://msdn.microsoft.com/en-us/library/ms254494%28v=vs.110%29.aspx

go to section  "Encrypting Configuration File Sections Using Protected Configuration"
0
 

Author Closing Comment

by:lapucca
ID: 40549688
I'm using IIS on Windows server.  Thank you.  I will look into encryption.
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article is for Object-Oriented Programming (OOP) beginners. An Interface contains declarations of events, indexers, methods and/or properties. Any class which implements the Interface should provide the concrete implementation for each Inter…
Entity Framework is a powerful tool to help you interact with the DataBase but still doesn't help much when we have a Stored Procedure that returns more than one resultset. The solution takes some of out-of-the-box thinking; read on!
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…
Michael from AdRem Software explains how to view the most utilized and worst performing nodes in your network, by accessing the Top Charts view in NetCrunch network monitor (https://www.adremsoft.com/). Top Charts is a view in which you can set seve…

632 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question