We help IT Professionals succeed at work.

Hiding my password for my connection string asp classic

I work for a corporation, to get access to a database, they do not want me to see the password.  they want to hide it in a hidden folder.
If they hid a file in a folder, and give me the path, so my webpage could read it,  that would work.  But I am getting the run around, alot of security jargon, and none of them know asp classic.  
 Is there a preferred way for me to have access to a file that I can not see the password on ?  BY access, I mean using an include statement to pull the password.

Here are some questions they ask or tell me:
  • Can you application utilize properties file with AES encryption on the password? We can also store the credentials to WebUser database

  • Schema owner access is made ONLY through encrypted strings generated by Security Access Management Team
  • o      Passwords must be encrypted or obfuscated to prevent unauthorized access

as Ste5an mentioned, I did leave out some info.  I use a connection string to connect to the database from a web page.  and in that string I hardcode a UserID and password.  so the user using the web page does not have to sign in.  the userID is a process ID.  I also store the passwords on another file on the server, and use include statements to retrieve the passwords.  When I asked them for a password, they wanted to take over my screen, to put in the password, so that I did not see the password.  Once they see my file, they do not want to put it in as text, so that I could see it.  the web page only returns results, no write or update needed.
Watch Question

IT - Project Manager
Well, Whenever I use ASP + MS SQL, this is what i follow:

in MS SQL - I'll create a SA authentication. i.e., ask your IT/database team to create a db user and db password with read / read & write permissions.

in Classic ASP - Use intranet authentication to connect & use an include file for SQL connections.


in ASP - Include file should look something like this,

Dim strNTUser, iPos
strNTUser = RTrim(Request.ServerVariables("LOGON_USER"))
iPos = Len(strNTUser) - InStr(1, strNTUser,"\",1)
strNTUser = Right(strNTUser, iPos)

Set Conn = Server.CreateObject("ADODB.Connection")
set rs = Server.CreateObject("ADODB.recordset")

Conn.Open "Provider=sqloledb;Data Source=Servername;Initial Catalog=DBName;User Id=SAUserID;Password=SAPassword;" 

Open in new window

ste5anSenior Developer

Sounds like either there is some information missing. Otherwise it sounds like nonsense.

You need to clarfiy the roles of administration and development. A developer does not have to know the production passwords, but a adminstrator has to.

Thus you should simply show them how they need to setup your application.
Jim SchwetzWeb Specialist


Thanks for your input. I did put my passwords on another file.  Now to go redo my other programs so they all use the same type of password includes.