What's the best way to store a password or private key on a web host?

Asked 27/6, 2012 at 18:27 Answered 27/6, 2012 at 18:42

I'm not referring to passwords that don't have to be used (such as passwords for other users to my site - in which case I really don't have to store them. See https://mcmap.net/q/73599/-best-way-to-store-password-in-database-closed .) so simply storing hashes is not an option.

I'm referring to storing passwords to an SQL database and a private key that the software on the shared server has to use.

I assume there's no really secure way to do it. I just want to know what's the best in this situation.

I'm trying to keep them secure from hackers (on the same web host or not). Not from others who have permission to see the files.

It's ASP.Net codebehind that will be using them.

Signalize answered 27/6, 2012 at 18:27 Comment(5)

What other proper uses are there for a password besides verification? What else is a password used for? – Elul 27/6, 2012 at 18:29

The best way? Is to not store that information at all .... don't store the password per se - store a salted hash of it. – Tsushima 27/6, 2012 at 18:29

who are you trying to secure this information from? the key in your web.config will be secure from the public, but not those who have access to the file and/or database. in all likelihood, you'll need to determine what level of access to this information is appropriate – Oath 27/6, 2012 at 18:30

@Signalize I guess I still don't understand what you mean. If the password doesn't have to be stored, what are you asking exactly? Any time you're verifying a password you should be able to either a) use the in-built authentication, like Chris Shain suggested in an answer, or b) store the salted hash and verify the password that way. – Elul 27/6, 2012 at 18:33

@ErOx Good point. I edited the question accordingly. – Signalize 27/6, 2012 at 18:33

Windows offers the Data Protection API (DPAPI) specifically for this purpose. Look into the ProtectedData class for consuming it from .NET.

The advantage of DPAPI is that your sensitive data is encrypted based on the Windows user’s logon credential, meaning that it is secure unless your Windows account is compromised.

Terri answered 27/6, 2012 at 18:42 Comment(0)

The best way to store the password is to not store it. Use integrated (Windows) authentication to connect to SQL Server. This involves running your IIS app pool as a specific (Windows) user, and granting that user access to log into the database and run the needed queries.

Aside from being more secure, it performs better. Using per-user connection strings defeats connection pooling.

EDIT:

If you absolutely must store the password, then using Encrypted Connection Strings in ASP.NET is the way to go. This takes care of using DPAPI to store the connection string and machine key correctly, reducing the chance that you screw it up and think you've secured it when you haven't.

Also: Encrypting Connection String in web.config

Leisure answered 27/6, 2012 at 18:31 Comment(10)

-1. Not really an answer in my opinion. OP is specifically asking for a way to to store the password. – Ettie 27/6, 2012 at 18:35

In the context of security, yes. If you ask me the best way to avoid dying in a plane crash, the answer "don't fly anywhere" seems reasonable. The correct answer is the one I gave- you should be using integrated authentication whenever possible. The OP didn't say that Integrated was not an option. – Leisure 27/6, 2012 at 18:37

But if you need to fly - you'll choose the safest way. The software on the site has to use those things. – Signalize 27/6, 2012 at 18:38

@Signalize if integrated security isn't an option, edit the post to indicate that. – Leisure 27/6, 2012 at 18:38

From the question: "It's ASP.Net codebehind that will be using them." (Or do you mean something else and I misunderstood you?) – Signalize 27/6, 2012 at 18:39

@Chris I guess we are all aware that storing the password is not the wisest thing one can do, but I suppose that OP has his reasons to do it. If your post did contain some way to store the password and you would add your warning as a sidenote, I would certainly not downvote it. – Ettie 27/6, 2012 at 18:43

OK. Thanks. Now I understand you. I'll look into that for the SQL part of the question. – Signalize 27/6, 2012 at 18:47

@NikolaAnusev fair enough- I've added an edit to include the "if you must store connection strings" approach. – Leisure 27/6, 2012 at 18:52

Windows Authentication (as described here by @Chris ) is the ideal way to avoid storing credentials to resources like SQL Server. Beyond that if you have to store private keys to 3rd party resources (ie. Azure) you can reference Douglas's answer. The short answer is the best data security measure depends on the data and its application. – Hedgcock 27/6, 2012 at 18:57

@Chris I've removed my downvote. Now, at least in my opinion, the answer is really to the point. – Ettie 27/6, 2012 at 19:4

Windows offers the Data Protection API (DPAPI) specifically for this purpose. Look into the ProtectedData class for consuming it from .NET.

The advantage of DPAPI is that your sensitive data is encrypted based on the Windows user’s logon credential, meaning that it is secure unless your Windows account is compromised.

Terri answered 27/6, 2012 at 18:42 Comment(0)

Recommended topics

Hot tags