Places to store a password

E

eggie5

I'm looking for the best place to store a general password I use on
my website. Short of hard coding it into one of my aspx.cs files, I'm
trying to find a good place to store it. The only place I can think of
is the web.config file. Can somebody give me some pointers on elegent
ways to do this with asp.net?
 
K

Keith Patrick

Try looking into the Data Protection API that was introduced in Win2k. It's
exposed in .Net via the System.Security.Cryptography.ProtectedData class.
The .config file isn't a great place, as it's only protected from users by
IIS blocking access (and I've seen a web site expose it when someone
inadvertantly deregistered ASP.Net)
 
P

Peter Bradley

If you need to retrieve the actual value of the password, you could put it
in Web.config - but make sure it's properly encrypted. Better still, put it
in a database (encrypted). You could also store it in the filesystem in a
folder only readable by your application. And finally, something we have
actually done, is to store the encrypted password in a database, but
retrieve it via a remote object: this allows you to have your application,
your remote object and your database all on different machines, which adds
some extra layers of security. Security is all about layers.

However, if you just want to compare the password with one that's been
entered, for authentication purposes, then store a hash - again, preferably
in a database. You never retrieve the password itself, but compare the hash
of the entry against the hash you've saved.


Peter
 
P

Paul

I'm looking for the best place to store a general password I use on
my website. Short of hard coding it into one of my aspx.cs files, I'm
trying to find a good place to store it. The only place I can think of
is the web.config file. Can somebody give me some pointers on elegent
ways to do this with asp.net?
Click to expand...

If you really only need a single password, I would store a hash of it
in the Webconfig.

This should be suitably secure as long as you 'salt' the password in
your code.

Then when you test the PWD in your code, simply hash and then test
against your webconfig key.

If you need code, just reply, I will try and post some.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

How to get education and coding job coming from abroad starting new in the US? Advice of courses or places to look? 2
How to Create a random password generator in a separate window 4
Looking to start a project but I need help 2
I'm tempted to quit out of frustration 1
I have an idea for a website and also what are the best languages to use for this website? 2
Change a users password without knowing the old password nor the answer to the password question 1
MVC 5 Use Oracle to store Asp.Net Identity data 0
Adding a star review ratings to my website 0

Members online

No members online now.
Total: 24 (members: 1, guests: 23)
Robots: 242

Forum statistics

Threads
473,755
Messages
2,569,537
Members
45,022
Latest member
MaybelleMa

Latest Threads

Top