Passwords in web.config... is this secure?

[John Buchmann]

In my web.config, I have a section that has a name and
password:

<credentials passwordFormat="Clear">
<user name="aaa" password="bbb" />
</credentials>

Is this secure? What is to stop someone from opening up
this file (it's a simple text file), getting the
sensitive info, and then breaking into my site?

If this is NOT secure, what is there I can do to make it
secure?

Thanks!
John

 

[Munsifali Rashid]

When the .NET framework is installed, it modifies IIS to explicitly deny
public access to .config files. However, it's still not very secure... You
can encrypt the passwords using MD5 or SHA1, which will add a little more
security.

Eg.

<credentials passwordFormat="MD5">
<user name="username" password="hashedpasswordhere"/>
</credentials>

You can hash passwords using this online utility -
http://support.tigress-uk.com/technical/HashPwd.aspx, or it's quite easy to
create your own, if you prefer.

Hope this helps,

Mun

 

[John Buchmann]

Mun,

Thanks for your reply and advice.

My problem is that if someone can log into the server via
an FTP program (I use WS_FTP), then the web.config is
easily viewable with no restrictions.

The encryption schemes you mentioned are to deny people
access via a web browser? I will look into hashed
passwords, but if someone gets into my site via an FTP
program, does this encryption do anything?

Thanks!
John

 

[Munsifali Rashid]

John,

What you could possibly do is only grant the ASPNET account access the
web.config, and explicitly deny all other accounts, so that no other user
accounts can access it other than the ASPNET account. Assuming you're using
the standard FTP Server as part of IIS, users will have to login using a
Windows account. The account they login with will not have access to
web.config, and therefore they will not be able to read the file and see the
user security details.

You might want to consider moving user details into a database. In this
case, the web.config file wont contain any user credentials. However, this
can turn into a catch-22, as the web.config file will then (probably)
contain the database connection string, which in turn, will give the
hacker-to-be access to the database, and user credentials table. You could
hard-code the database string into the login class (code-behind file), but
this will make maintenance more awkward. Another option would be to encrypt
the database string, but this situation would no different from encrypting
the user passwords directly...

The encryption schemes mentioned are to authenticate people who try and
access web content which is being secured using the built-in Forms
Authentication in ASP.NET. As far as I know, It won't have any affect on
users who access your site using FTP. The only way to regulate FTP users
would be through the FTP Server software itself.

Hope this helps,

Mun