This might be a duplicate (question) but I am looking specifically for the .NET best practice.

How to store database connection strings, username and password etc. in a safe way? Is an encrypted app.config best in most cases?

I would also like to be able to set the password in the config file and then have it encrypted as soon as the application starts. (I am not asking for a solution as I have solved this before, I'm just looking for best practise(s)).

I'm also interested in alternative solutions that you have good experiences with.

I think the best practice is to use integrated security if possible, for 2 reasons... It is the easiest solution to manage and it is the easiest solution to get right.

If for some reason you can't use integrated security and you have to use username and password encrypt them using something like the Enterprise Library's Config Manager to encrypt sections of your web.config.

There are several things that we should know about protecting connection strings: http://msdn.microsoft.com/en-us/library/89211k9b.aspx

In my view the best way to store them (the one that combines flexibility and security) is "Encrypting Configuration File Sections Using Protected Configuration": http://msdn.microsoft.com/en-us/library/ms254494.aspx

That would be web.config. You can encrypt the connection string if secrity is a concern.

Something that I have found to be useful lately, is Microsoft's Single Sign On service. If you need to use SQL Authentication, you can store the actual credentials in an encrypted database.

Use app.config or web.config to encrypt sensitive sections. .NET provides utilities for this. If you're working with various databases and want advanced connection features, dotConnect by is an excellent choice. I have tried it myself. It offers enhanced security and performance for database operations in .NET. For the parts of your application using ODBC, ODBC Driver is a robust solution that ensures safe and efficient connectivity.