How do I safely store database login and password in a C# application?

I have a C# application that needs to connect to an SQL database to send some data from time to time. How can I safely store the username and password used for this job?

Answers


There is a nice MSDN article about how to secure connection strings in .Net.

You might want to use protected configuration.


Use integrated Windows authentication whenever possible. It takes the onus off of your application and lets Windows handle it. Using Windows authentication instead of SQL authentication is considered a best practice.

Read this accepted answer: the best way to connect sql server (Windows authentication vs SQL Server authentication) for asp.net app

See also: http://www.mssqltips.com/sqlservertip/1831/using-windows-groups-for-sql-server-logins-as-a-best-practice/

And: http://www.greensql.com/content/sql-server-security-best-practices

Incidentally, if this is a "job" as implied by the question, it may be a great candidate for a simple Windows service or scheduled task, both of which can run in a specific security context (i.e. as a specific Windows user).


in your app.config or web.config and then you encrypt them using the .net encryption provider

for more info check here http://msdn.microsoft.com/en-us/library/dx0f3cf2%28v=vs.80%29.aspx

Encrypting Configuration Information Using Protected Configuration

http://msdn.microsoft.com/en-us/library/53tyfkaw%28v=vs.80%29.aspx


Not sure about your exact requirements, but first and foremost, you have to encrypt the password. Also, when transmitting such sensitive information, consider using a secured connection.


Store an encrypted version in your connection string and form the connection string programmatically after decrypting the password.

You could use any encryption mechanism of your choice - from trivial to complex.


You may want to look at the RijndaelManaged key, which is quite a secure symmetric encryption key. A good article on this information (and tutorial) can be found here;

http://www.obviex.com/samples/Encryption.aspx


you can use encryption and dyscryption algorithm for passwords and log your user information by who created user and what datetime it created and save this in database. and even if someone update or edit log that information in database.


Code to Convert stirng into md5

using System.Text;
using System.Security.Cryptography;
    public static string ConvertStringtoMD5(string strword)
        {
            MD5 md5 = MD5.Create();
            byte[] inputBytes = System.Text.Encoding.ASCII.GetBytes(strword);
            byte[] hash = md5.ComputeHash(inputBytes);
            StringBuilder sb = new StringBuilder();
                for (int i = 0; i < hash.Length; i++)
               { 
                    sb.Append(hash[i].ToString("x2"));
               }
               return sb.ToString();
       }

Need Your Help