Storing passwords in web.config

Izi · 20 Nov 2009 at 10:39

Do you do it?

Is it bad practice?

SimonCHere · 20 Nov 2009 at 10:51

encrypt it

Izi · 20 Nov 2009 at 10:52

so create a class to decrypt a password which is stored, for say an email account, but how do you do it for external entities such as databases?

SimonCHere · 20 Nov 2009 at 11:26

Asp.net 2 does it automatically.

http://aspnet.4guysfromrolla.com/articles/021506-1.aspx

NightmareXX · 20 Nov 2009 at 18:51

Izi said:
so create a class to decrypt a password which is stored, for say an email account, but how do you do it for external entities such as databases?

I'd do it as a 1 way encryption using something like MD5. You encrypt their entered password against the one stored and if they don't match the password is wrong. If they request a new password, have the system generate one for them.

HTMLHugo · 23 Nov 2009 at 17:56

its not bad practice at all, its in the web.config and safe from all but developers and those with access to the web.config file (IT Ops etc)

personally i've rarely found any reason to do this though, so i would question your reason for doing this.

Dj_Jestar · 23 Nov 2009 at 18:11

NightmareXX said:
I'd do it as a 1 way encryption using something like MD5. You encrypt their entered password against the one stored and if they don't match the password is wrong. If they request a new password, have the system generate one for them.

Being pedantic here.. MD5 et al. are not encryption algorithms, they are hashing algorithms. So to "MD5" some data is to hash some data, not encrypt.

NightmareXX · 23 Nov 2009 at 21:40

Good point, I shall try to remember that.

SimonCHere · 24 Nov 2009 at 09:40

HTMLHugo said:
its not bad practice at all, its in the web.config and safe from all but developers and those with access to the web.config file (IT Ops etc)

personally i've rarely found any reason to do this though, so i would question your reason for doing this.

Although it's not safe from people who might get on the webserver its self. If that happens to be a malicious person then your database could be in trouble.

AbsenceJam · 24 Nov 2009 at 09:55

Dj_Jestar said:
Being pedantic here.. MD5 et al. are not encryption algorithms, they are hashing algorithms. So to "MD5" some data is to hash some data, not encrypt.

More to the point MD5 is worthless.

Dj_Jestar · 24 Nov 2009 at 10:14

AbsenceJam said:
More to the point MD5 is worthless.

Not completely. Some consider it worthless due to its popularity with password hashing (and the resulting rainbow tables available), but there are plenty ways to increase the security of it. Salting

But yes, something like SHA256 is more "secure"