How secure the user name and password in the connection string?

Asked 24/1, 2014 at 7:40 Answered 24/1, 2014 at 8:7

when developing windows applications:

How I secure the user name and password in the connection string?
Organizations like banks, would they give out the user name and password of their DB to application developers? if not typically how those applications developers write the DB Connections?
What is the industry standard to secure user and password in the connection string?

thanks

Yod answered 24/1, 2014 at 7:40 Comment(0)

How I secure the user name and password in the connection string?

Either use Windows authentication to eliminate the need for a password in the connection string, or use a combination of one or more of:

Encryption, e.g. using Protected Configuration.
Restrict access to the configuration file, e.g. using an ACL.

Note that the above techniques work well for server applications (e.g. ASP.NET), where access to the server can be restricted to authorized administrators. It doesn't work well for client-side applications that directly access a database.

Note also that encryption on its own is not sufficient: it simply replaces the problem of controlling access to a plaintext configuration file by the problem of controlling access to encryption keys. When using Protected Configuration, you need to decide how to restrict access to the encryption keys used to encrypt your configuration file.

2. Organizations like banks, would they give out the user name and password of their DB to application developers? if not typically how those applications developers write the DB Connections?

In general developers will only be given credentials to access databases in a development / test environment. Access to production databases will be restricted.

3. What is the industry standard to secure user and password in the connection string?

There is no "industry standard", but see answer to question 1.

Norvol answered 24/1, 2014 at 8:7 Comment(4)

in the second answer you mentioned about a test environment I believe you meant by this was a set of dummy data that is parallel to the original? – Yod 24/1, 2014 at 8:21

@Yod - what data is in a dev/test database will depend on the organization. If the production data is confidential, it may be dummy data or perhaps an anonymized version of the production data. If it's not confidential, it may be just a snapshot of production data. – Norvol 24/1, 2014 at 8:52

@Joe: I want to deploy my app to end users. How do I secure the username/password using to connect to a centralized SQL server? As you wrote "It doesn't work well for client-side applications that directly access a database." – Chalmer 16/12, 2017 at 6:39

@Chalmer - "it doesn't work well" because the user will be able to get access to the database if he's determined enough. To mitigate this, you can restrict what the database login is allowed to do (e.g. only execute stored procedures that are needed for the application). But it can never be as secure as an architecture with a web service between the client and the database, where the client can not directly access the database. – Norvol 16/12, 2017 at 9:38

You can encrypt sections in the app.config in the same way as web.config. MS calls it Protected Configuration. Like this

<connectionStrings configProtectionProvider="DataProtectionConfigurationProvider">
  <EncryptedData>
    <CipherData>
      <CipherValue>AQAAANCMnd8BFdERjHoAwE/Cl+sBAAAAH2... </CipherValue>
    </CipherData>
  </EncryptedData>
</connectionStrings>

Thule answered 24/1, 2014 at 7:47 Comment(0)

From MSDN:

ASP.NET 2.0 introduced a new feature, called protected configuration, that enables you to encrypt sensitive information in a configuration file. Although primarily designed for ASP.NET, protected configuration can also be used to encrypt configuration file sections in Windows applications. For a detailed description of the protected configuration capabilities, see Encrypting Configuration Information Using Protected Configuration.

The following configuration file fragment shows the connectionStrings section after it has been encrypted. The configProtectionProvider specifies the protected configuration provider used to encrypt and decrypt the connection strings. The EncryptedData section contains the cipher text.

 <connectionStrings configProtectionProvider="DataProtectionConfigurationProvider">
  <EncryptedData>
    <CipherData>
      <CipherValue>AQAAANCMnd8BFdERjHoAwE/Cl+sBAAAAH2... </CipherValue>
    </CipherData>
  </EncryptedData>
</connectionStrings>

When the encrypted connection string is retrieved at run time, the .NET Framework uses the specified provider to decrypt the CipherValue and make it available to your application. You do not need to write any additional code to manage the decryption process. Read the following article on MSDN please for more information:

Connection Strings and Configuration Files

Staunch answered 24/1, 2014 at 7:43 Comment(3)

Link only answers are frowned upon here at SO. Try adding a bit of detail – Riyal 24/1, 2014 at 7:45

No, but I imagine that you could build an answer that summarizes the article and then include the link. That would add value. Links dont add value. – Riyal 24/1, 2014 at 7:54

Wasting time on comments ... better to copy info from MSDN in answer. – Staunch 24/1, 2014 at 8:4

-3

You should use parameters.

example SqlCommand command = new SqlCommand("select * from Login where Username= @name", conn); command.Parameters.Add(new SqlParameter("@name", uname.txt)); .

Hazelhazelnut answered 24/1, 2014 at 7:45 Comment(2)

That is not about securing connection string data – Training 24/1, 2014 at 7:46

I think the OP is looking for how to encrypt the user and pass to connect to the database, not to select a user and pass from a database. – Riyal 24/1, 2014 at 7:46

Recommended topics

Hot tags