Password is stored in variables and is a potential security threat.

I need to repair the C# code below because some audit software is flagging it. Below is a small portion of the method which is being flagged by the audit. This is for an asp.net web application.

The audit message reads " Storing passwords or password details in plaintext anywhere in the system or system code can compromise system security in a way that cannot be easily remedied.
Furthermore it is never a good idea to hardcode a password. Not only does it allow the all of the projects developers to view the password it also makes the problem extremely difficult. Once code is in production the password is now leaked to the outside world and cannot be protected or changed without patching the software.

I need expert advice on how to best correct this issue. The only thing that comes to mind is to encrypt the password, however that seems rather extreme. Does any expert have a better solution or recommendation?

public void ChangeUserPassword(string UserID, string strCurrentPassword, string strNewPassword)
{
  SqlCommand _command = new SqlCommand();
 _command.CommandText = "sp_password @0, @1";
   var parameter = _command.CreateParameter();
   parameter.ParameterName = "@0";
   parameter.DbType = DbType.String;
   parameter.Value = strCurrentPassword;
   _command.Parameters.Add(parameter);

  parameter = _command.CreateParameter();
  parameter.ParameterName = "@2";
  parameter.DbType = DbType.String;
  parameter.Value = strNewPassword;
 _command.Parameters.Add(parameter)
}
LVL 2
brgdotnetcontractorAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Anthony CarterCommented:
I recommend you take a read through https://msdn.microsoft.com/en-us/library/89211k9b(v=vs.110).aspx

A good look at how this should be done is here: https://msdn.microsoft.com/en-us/library/ms254494(v=vs.110).aspx

BTW, I hope you changed the passwords before posting the connection information above...

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
chaauCommented:
You need to use SecureString for the variables that hold the passwords. Using the normal String variables can potentially expose it in the memory dumps when the application crashes. The SecureString manages it in such a way that even when the program crashes the memory block where the string is written is encrypted
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
C#

From novice to tech pro — start learning today.