Jim Schwetz
asked on
Hiding my password for my connection string asp classic
I work for a corporation, to get access to a database, they do not want me to see the password. they want to hide it in a hidden folder.
If they hid a file in a folder, and give me the path, so my webpage could read it, that would work. But I am getting the run around, alot of security jargon, and none of them know asp classic.
Is there a preferred way for me to have access to a file that I can not see the password on ? BY access, I mean using an include statement to pull the password.
Here are some questions they ask or tell me:
as Ste5an mentioned, I did leave out some info. I use a connection string to connect to the database from a web page. and in that string I hardcode a UserID and password. so the user using the web page does not have to sign in. the userID is a process ID. I also store the passwords on another file on the server, and use include statements to retrieve the passwords. When I asked them for a password, they wanted to take over my screen, to put in the password, so that I did not see the password. Once they see my file, they do not want to put it in as text, so that I could see it. the web page only returns results, no write or update needed.
If they hid a file in a folder, and give me the path, so my webpage could read it, that would work. But I am getting the run around, alot of security jargon, and none of them know asp classic.
Is there a preferred way for me to have access to a file that I can not see the password on ? BY access, I mean using an include statement to pull the password.
Here are some questions they ask or tell me:
- Can you application utilize properties file with AES encryption on the password? We can also store the credentials to WebUser database
- Schema owner access is made ONLY through encrypted strings generated by Security Access Management Team
- o Passwords must be encrypted or obfuscated to prevent unauthorized access
as Ste5an mentioned, I did leave out some info. I use a connection string to connect to the database from a web page. and in that string I hardcode a UserID and password. so the user using the web page does not have to sign in. the userID is a process ID. I also store the passwords on another file on the server, and use include statements to retrieve the passwords. When I asked them for a password, they wanted to take over my screen, to put in the password, so that I did not see the password. Once they see my file, they do not want to put it in as text, so that I could see it. the web page only returns results, no write or update needed.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks for your input. I did put my passwords on another file. Now to go redo my other programs so they all use the same type of password includes.
You need to clarfiy the roles of administration and development. A developer does not have to know the production passwords, but a adminstrator has to.
Thus you should simply show them how they need to setup your application.