Geek Answers Handbook

What is the best way to save a password or private key on a web hosting?

I do not mean passwords that should not be used (for example, passwords for other users on my site), in which case I really do not need to store them. See https://stackoverflow.com/a/166268/2126 for more details on how to save hashes.

I mean storing passwords in the SQL database and the private key that the software should use on a shared server.

I guess there is no reliable way to do this. I just want to know what is best in this situation.

I am trying to protect them from hackers (on the same website or not). Not from others who have permission to view files.

This is the ASP.Net code that will use them.

+8
security c # web-hosting
source share
2 answers

Windows offers the Data Protection API (DPAPI) specifically for this purpose. Explore the ProtectedData class for use with .NET.

The advantage of DPAPI is that your sensitive data is encrypted based on your Windows login credentials, which means that it is safe if your Windows account is not compromised.

+1
source share

The best way to save a password is not to store it. Use the built-in (Windows) authentication to connect to SQL Server. This includes starting your IIS application pool as a specific (Windows) user and providing that user access to enter the database and launch the necessary queries.

See also SQL Server Integrated Authentication Mode

Besides being safer, it works better. The use of connection strings for each user affects pooling.

EDIT:

If you absolutely must keep the password, then using Encrypted Connection Strings in ASP.NET is the way to go. This will help to use DPAPI to correctly record the connection string and machine key, which will reduce the likelihood that you will ruin it and think that you provided it when you did not.

Also: Connection string encryption in web.config

+3
source share

More articles:


All Articles