Passwords in web.config... is this secure?

Discussion in 'ASP .Net' started by John Buchmann, Dec 15, 2003.

  1. In my web.config, I have a section that has a name and
    password:

    <credentials passwordFormat="Clear">
    <user name="aaa" password="bbb" />
    </credentials>

    Is this secure? What is to stop someone from opening up
    this file (it's a simple text file), getting the
    sensitive info, and then breaking into my site?

    If this is NOT secure, what is there I can do to make it
    secure?

    Thanks!
    John
     
    John Buchmann, Dec 15, 2003
    #1
    1. Advertising

  2. When the .NET framework is installed, it modifies IIS to explicitly deny
    public access to .config files. However, it's still not very secure... You
    can encrypt the passwords using MD5 or SHA1, which will add a little more
    security.

    Eg.

    <credentials passwordFormat="MD5">
    <user name="username" password="hashedpasswordhere"/>
    </credentials>

    You can hash passwords using this online utility -
    http://support.tigress-uk.com/technical/HashPwd.aspx, or it's quite easy to
    create your own, if you prefer.

    Hope this helps,

    Mun




    "John Buchmann" <> wrote in message
    news:07d301c3c320$ae3f0000$...
    > In my web.config, I have a section that has a name and
    > password:
    >
    > <credentials passwordFormat="Clear">
    > <user name="aaa" password="bbb" />
    > </credentials>
    >
    > Is this secure? What is to stop someone from opening up
    > this file (it's a simple text file), getting the
    > sensitive info, and then breaking into my site?
    >
    > If this is NOT secure, what is there I can do to make it
    > secure?
    >
    > Thanks!
    > John
     
    Munsifali Rashid, Dec 15, 2003
    #2
    1. Advertising

  3. Mun,

    Thanks for your reply and advice.

    My problem is that if someone can log into the server via
    an FTP program (I use WS_FTP), then the web.config is
    easily viewable with no restrictions.

    The encryption schemes you mentioned are to deny people
    access via a web browser? I will look into hashed
    passwords, but if someone gets into my site via an FTP
    program, does this encryption do anything?

    Thanks!
    John


    >-----Original Message-----
    >When the .NET framework is installed, it modifies IIS to

    explicitly deny
    >public access to .config files. However, it's still not

    very secure... You
    >can encrypt the passwords using MD5 or SHA1, which will

    add a little more
    >security.
    >
    >Eg.
    >
    ><credentials passwordFormat="MD5">
    > <user name="username" password="hashedpasswordhere"/>
    ></credentials>
    >
    >You can hash passwords using this online utility -
    >http://support.tigress-uk.com/technical/HashPwd.aspx, or

    it's quite easy to
    >create your own, if you prefer.
    >
    >Hope this helps,
    >
    >Mun
    >
    >
    >
    >
    >"John Buchmann" <> wrote in message
    >news:07d301c3c320$ae3f0000$...
    >> In my web.config, I have a section that has a name and
    >> password:
    >>
    >> <credentials passwordFormat="Clear">
    >> <user name="aaa" password="bbb" />
    >> </credentials>
    >>
    >> Is this secure? What is to stop someone from opening

    up
    >> this file (it's a simple text file), getting the
    >> sensitive info, and then breaking into my site?
    >>
    >> If this is NOT secure, what is there I can do to make

    it
    >> secure?
    >>
    >> Thanks!
    >> John

    >
    >
    >.
    >
     
    John Buchmann, Dec 15, 2003
    #3
  4. John,

    What you could possibly do is only grant the ASPNET account access the
    web.config, and explicitly deny all other accounts, so that no other user
    accounts can access it other than the ASPNET account. Assuming you're using
    the standard FTP Server as part of IIS, users will have to login using a
    Windows account. The account they login with will not have access to
    web.config, and therefore they will not be able to read the file and see the
    user security details.

    You might want to consider moving user details into a database. In this
    case, the web.config file wont contain any user credentials. However, this
    can turn into a catch-22, as the web.config file will then (probably)
    contain the database connection string, which in turn, will give the
    hacker-to-be access to the database, and user credentials table. You could
    hard-code the database string into the login class (code-behind file), but
    this will make maintenance more awkward. Another option would be to encrypt
    the database string, but this situation would no different from encrypting
    the user passwords directly...

    The encryption schemes mentioned are to authenticate people who try and
    access web content which is being secured using the built-in Forms
    Authentication in ASP.NET. As far as I know, It won't have any affect on
    users who access your site using FTP. The only way to regulate FTP users
    would be through the FTP Server software itself.

    Hope this helps,

    Mun





    "John Buchmann" <> wrote in message
    news:069201c3c329$c774c560$...
    > Mun,
    >
    > Thanks for your reply and advice.
    >
    > My problem is that if someone can log into the server via
    > an FTP program (I use WS_FTP), then the web.config is
    > easily viewable with no restrictions.
    >
    > The encryption schemes you mentioned are to deny people
    > access via a web browser? I will look into hashed
    > passwords, but if someone gets into my site via an FTP
    > program, does this encryption do anything?
    >
    > Thanks!
    > John
     
    Munsifali Rashid, Dec 15, 2003
    #4
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Staffing

    Web.config and Passwords

    Staffing, Aug 26, 2003, in forum: ASP .Net
    Replies:
    3
    Views:
    536
    Staffing
    Aug 26, 2003
  2. tma
    Replies:
    2
    Views:
    499
    Patrice
    Sep 7, 2004
  3. Ahmed Moustafa
    Replies:
    5
    Views:
    445
    Brian Palmer
    Aug 20, 2003
  4. Max
    Replies:
    5
    Views:
    363
    Harry George
    Aug 11, 2004
  5. CSharpner
    Replies:
    0
    Views:
    1,050
    CSharpner
    Apr 9, 2007
Loading...

Share This Page