Hiding my password for my connection string asp classic

Jim Schwetz
Jim Schwetz used Ask the Experts™
I work for a corporation, to get access to a database, they do not want me to see the password.  they want to hide it in a hidden folder.
If they hid a file in a folder, and give me the path, so my webpage could read it,  that would work.  But I am getting the run around, alot of security jargon, and none of them know asp classic.  
 Is there a preferred way for me to have access to a file that I can not see the password on ?  BY access, I mean using an include statement to pull the password.

Here are some questions they ask or tell me:
  • Can you application utilize properties file with AES encryption on the password? We can also store the credentials to WebUser database

  • Schema owner access is made ONLY through encrypted strings generated by Security Access Management Team
  • o      Passwords must be encrypted or obfuscated to prevent unauthorized access

as Ste5an mentioned, I did leave out some info.  I use a connection string to connect to the database from a web page.  and in that string I hardcode a UserID and password.  so the user using the web page does not have to sign in.  the userID is a process ID.  I also store the passwords on another file on the server, and use include statements to retrieve the passwords.  When I asked them for a password, they wanted to take over my screen, to put in the password, so that I did not see the password.  Once they see my file, they do not want to put it in as text, so that I could see it.  the web page only returns results, no write or update needed.
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
IT - Project Manager
Well, Whenever I use ASP + MS SQL, this is what i follow:

in MS SQL - I'll create a SA authentication. i.e., ask your IT/database team to create a db user and db password with read / read & write permissions.

in Classic ASP - Use intranet authentication to connect & use an include file for SQL connections.


in ASP - Include file should look something like this,

Dim strNTUser, iPos
strNTUser = RTrim(Request.ServerVariables("LOGON_USER"))
iPos = Len(strNTUser) - InStr(1, strNTUser,"\",1)
strNTUser = Right(strNTUser, iPos)

Set Conn = Server.CreateObject("ADODB.Connection")
set rs = Server.CreateObject("ADODB.recordset")

Conn.Open "Provider=sqloledb;Data Source=Servername;Initial Catalog=DBName;User Id=SAUserID;Password=SAPassword;" 

Open in new window

ste5anSenior Developer

Sounds like either there is some information missing. Otherwise it sounds like nonsense.

You need to clarfiy the roles of administration and development. A developer does not have to know the production passwords, but a adminstrator has to.

Thus you should simply show them how they need to setup your application.
Jim SchwetzWeb Specialist


Thanks for your input. I did put my passwords on another file.  Now to go redo my other programs so they all use the same type of password includes.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial