Configuration files are definetly a bad place to store sensitive data like
user credentials. Here you have some guidelines about storing sensitive data
on config files:
http://msdn.microsoft.com/msdnmag/issues/03/11/ProtectYourData/default.aspx
You don't have a silver bullet here but you should add as many security
levels as you can (defense in deep).
One common approach is to store a regristry path in your config file and
save in that registry entry (with strong ACL) the encrypted data with DPAPI
(local machine mode). You just have a tool that do this here:
http://support.microsoft.com/default.aspx?scid=kb;EN-US;329290
Then you have to decrypt this data and here you have this sample:
string decryptedData = Encoding.Unicode.GetString( ProtectedData.Decrypt(
registryBytes ) );
ProtectedData is the managed DPAPI wrapper in the Open Source NCrypto
proyect.
registryBytes is the byte array from the registry entry that create the tool
mentioned above.
You may get the NCrypto proyect from here:
http://sourceforge.net/projects/ncrypto/
--
Hernan de Lahitte
Lagash Systems S.A.
http://weblogs.asp.net/hernandl
This posting is provided "AS IS" with no warranties, and confers no rights.