Places to store a password

Discussion in 'ASP .Net' started by eggie5, Mar 12, 2007.

  1. eggie5

    eggie5 Guest

    I'm looking for the best place to store a general password I use on
    my website. Short of hard coding it into one of my aspx.cs files, I'm
    trying to find a good place to store it. The only place I can think of
    is the web.config file. Can somebody give me some pointers on elegent
    ways to do this with asp.net?
    eggie5, Mar 12, 2007
    #1
    1. Advertising

  2. Try looking into the Data Protection API that was introduced in Win2k. It's
    exposed in .Net via the System.Security.Cryptography.ProtectedData class.
    The .config file isn't a great place, as it's only protected from users by
    IIS blocking access (and I've seen a web site expose it when someone
    inadvertantly deregistered ASP.Net)
    Keith Patrick, Mar 13, 2007
    #2
    1. Advertising

  3. If you need to retrieve the actual value of the password, you could put it
    in Web.config - but make sure it's properly encrypted. Better still, put it
    in a database (encrypted). You could also store it in the filesystem in a
    folder only readable by your application. And finally, something we have
    actually done, is to store the encrypted password in a database, but
    retrieve it via a remote object: this allows you to have your application,
    your remote object and your database all on different machines, which adds
    some extra layers of security. Security is all about layers.

    However, if you just want to compare the password with one that's been
    entered, for authentication purposes, then store a hash - again, preferably
    in a database. You never retrieve the password itself, but compare the hash
    of the entry against the hash you've saved.


    Peter


    "eggie5" <> wrote in message
    news:...
    > I'm looking for the best place to store a general password I use on
    > my website. Short of hard coding it into one of my aspx.cs files, I'm
    > trying to find a good place to store it. The only place I can think of
    > is the web.config file. Can somebody give me some pointers on elegent
    > ways to do this with asp.net?
    >
    Peter Bradley, Mar 13, 2007
    #3
  4. eggie5

    Paul Guest

    On 12 Mar, 23:37, "eggie5" <> wrote:
    > I'm looking for the best place to store a general password I use on
    > my website. Short of hard coding it into one of my aspx.cs files, I'm
    > trying to find a good place to store it. The only place I can think of
    > is the web.config file. Can somebody give me some pointers on elegent
    > ways to do this with asp.net?


    If you really only need a single password, I would store a hash of it
    in the Webconfig.

    This should be suitably secure as long as you 'salt' the password in
    your code.

    Then when you test the PWD in your code, simply hash and then test
    against your webconfig key.

    If you need code, just reply, I will try and post some.
    Paul, Mar 13, 2007
    #4
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Guadala Harry

    Where/How to Securely Store ID and Password?

    Guadala Harry, Feb 20, 2004, in forum: ASP .Net
    Replies:
    5
    Views:
    4,351
    Guadala Harry
    Feb 22, 2004
  2. Paul
    Replies:
    3
    Views:
    341
    A. Elamiri
    Apr 16, 2004
  3. =?Utf-8?B?UnVkeQ==?=

    to store or not to store an image

    =?Utf-8?B?UnVkeQ==?=, Mar 29, 2005, in forum: ASP .Net
    Replies:
    6
    Views:
    634
    =?Utf-8?B?UnVkeQ==?=
    Mar 30, 2005
  4. AAaron123
    Replies:
    2
    Views:
    2,142
    AAaron123
    Jan 16, 2009
  5. AAaron123
    Replies:
    1
    Views:
    1,332
    Oriane
    Jan 16, 2009
Loading...

Share This Page