Geek Answers Handbook

How to save a database password

I am sure that there are already many discussions, but how to save the password in the application? (I didn’t mean the password of the user to be stored in the table in the database, but the password to build the connection string)

I saw sentences, such as storing it in encrypted form in a flat file, such as an xml file, and then reading it + decrypting it at runtime. If this application runs on a server, this is a very good choice, but what if the application is deployed to end-user PCs? those. the flat file will be copied to the user's computer. Is this a good practice? (my instinct is "NO")

I know the existence of a SecurityString, but then I also read in one post that a SecurityString can also be easily broken.

Is it good to use Password Vault that ships with Windows 7? Is there a good example of using software? I saw an example in msdn, but firstly, it is marked as "windows 8", secondly, when I downloaded the files and opened the solution in visual studio 2012 EXPRESS, it could not open.

Any suggestion is welcome ... thank you very much.

- update -

Say the application will run on multiple PCs in a Windows domain. (1) When launched, the application will perform LDAP authentication (active directory). Only after successful authentication will the application continue, and (2) behind the scenes, the application can connect to the database, take user input to request db, and this is where db passwd enters the game to build a connection string (no, this is not a database SQL SERVER, so I don't think the ability to use Windows authentication is viable unless a commercial plug-in is used).

db is in the same domain and is configured to allow a specific range of IP addresses and SSL is enabled. In short, in this sense it is quite safe. The only bit that is not yet safe is storing db passwd for the application.

What caught my attention was the Mysql Workbench. It will save the db connections, including the password, which is stored in the password store. This is mysql's own password storage implementation, and I'm very curious about how this is done.

+6
source share
2 answers

It is not possible to give a password to your users and expect it to remain safe. Even if it is hidden in your compiled application and hashed with a one-way hash, it will be fixed.

Instead, you should consider your security architecture.

If you provide the services that your application connects to, you should look at providing more reliable authentication as part of your public API.

If the connection string is designed to connect to another part of the distributed software, you must make the password a custom end user and save it in a key fob or other encrypted storage.

- Update -

It looks like it might be what you are looking for;

http://www.microsoft.com/indonesia/msdn/credmgmt.aspx

+8
source

If the application is deployed where you do not have or have little control over the system, i.e. external user PC, it may be worth creating a user login. Authenticate the user from this login, and then from the relatively secure server, use all the credentials needed to provide the data.

This does not guarantee security, but it will be easier to maintain if you need to change the password at some point in the future or if the user is compromised.

+5
source

More articles:


All Articles