Is app.config file a secure place to store passwords?

I need to store confidential passwords within the code. I cannot use Hashing techniques as the password itself is needed. How can I store these data securely within an app.config file?

Are there other ways I could accomplish this securely?

DPAPI and ProtectData Class is not an option because the keys are system specific eg:connection strings can't be stored this way for different end user systems.

Answers


You can use DPAPI (Data protection API) to encrypt certain section of your config files. Your code would still be using ConfigurationManager and decrypting will be taken of care by the framework. For more information on the same refer to this patterns and practices document How To: Encrypt Configuration Sections in ASP.NET 2.0 Using DPAPI

Update

To encrypt or decrypt information from your code you could use ProtectedData.Protect & ProtectedData.Unprotect. This can be run as a part of custom action in your installer or when the user enters the credentials when using your application.

Sample Code

class SecureStringManager
{
    readonly Encoding _encoding = Encoding.Unicode;

    public string Unprotect(string encryptedString)
    {
        byte[] protectedData = Convert.FromBase64String(encryptedString);
        byte[] unprotectedData = ProtectedData.Unprotect(protectedData,
            null, DataProtectionScope.CurrentUser);

        return _encoding.GetString(unprotectedData);
    }

    public string Protect(string unprotectedString)
    {
        byte[] unprotectedData = _encoding.GetBytes(unprotectedString);
        byte[] protectedData = ProtectedData.Protect(unprotectedData, 
            null, DataProtectionScope.CurrentUser);

        return Convert.ToBase64String(protectedData);
    }
}      

Need Your Help

Facebook API for iPhone: including html link in the post

iphone api facebook hyperlink

i'm using the Facebook API on an iPhone application but can't figure out how to include a clickable link in my the description of my post. Tried to put the in it but it's removed from the message...