8

I'm not referring to passwords that don't have to be used (such as passwords for other users to my site - in which case I really don't have to store them. See https://stackoverflow.com/a/1054069/939213 .) so simply storing hashes is not an option.

I'm referring to storing passwords to an SQL database and a private key that the software on the shared server has to use.

I assume there's no really secure way to do it. I just want to know what's the best in this situation.

I'm trying to keep them secure from hackers (on the same web host or not). Not from others who have permission to see the files.

It's ASP.Net codebehind that will be using them.

Community
  • 1
  • 1
ispiro
  • 26,556
  • 38
  • 136
  • 291
  • What other proper uses are there for a password besides verification? What else is a password used for? – Ricardo Altamirano Jun 27 '12 at 18:29
  • The best way? Is to **not** store that information at all .... don't store the password per se - store a salted hash of it. – marc_s Jun 27 '12 at 18:29
  • who are you trying to secure this information from? the key in your web.config will be *secure* from the public, but not those who have access to the file and/or database. in all likelihood, you'll need to determine what level of access to this information is appropriate – Didaxis Jun 27 '12 at 18:30
  • 1
    @ispiro I guess I still don't understand what you mean. If the password doesn't have to be stored, what are you asking exactly? Any time you're verifying a password you should be able to either a) use the in-built authentication, like Chris Shain suggested in an answer, or b) store the salted hash and verify the password that way. – Ricardo Altamirano Jun 27 '12 at 18:33
  • @ErOx Good point. I edited the question accordingly. – ispiro Jun 27 '12 at 18:33

2 Answers2

5

The best way to store the password is to not store it. Use integrated (Windows) authentication to connect to SQL Server. This involves running your IIS app pool as a specific (Windows) user, and granting that user access to log into the database and run the needed queries.

See also SQL Server Integrated Authentication Mode

Aside from being more secure, it performs better. Using per-user connection strings defeats connection pooling.

EDIT:

If you absolutely must store the password, then using Encrypted Connection Strings in ASP.NET is the way to go. This takes care of using DPAPI to store the connection string and machine key correctly, reducing the chance that you screw it up and think you've secured it when you haven't.

Also: Encrypting Connection String in web.config

Community
  • 1
  • 1
Chris Shain
  • 50,833
  • 6
  • 93
  • 125
  • -1. Not really an answer in my opinion. OP is specifically asking for a way to to _store_ the password. – Nikola Anusev Jun 27 '12 at 18:35
  • In the context of security, yes. If you ask me the best way to avoid dying in a plane crash, the answer "don't fly anywhere" seems reasonable. The *correct* answer is the one I gave- you should be using integrated authentication whenever possible. The OP didn't say that Integrated was not an option. – Chris Shain Jun 27 '12 at 18:37
  • But if you need to fly - you'll choose the safest way. The software on the site has to use those things. – ispiro Jun 27 '12 at 18:38
  • @ispiro if integrated security isn't an option, edit the post to indicate that. – Chris Shain Jun 27 '12 at 18:38
  • From the question: "It's ASP.Net codebehind that will be using them." (Or do you mean something else and _I_ misunderstood _you_?) – ispiro Jun 27 '12 at 18:39
  • @Chris I guess we are all aware that storing the password is not the wisest thing one can do, but I suppose that OP has his reasons to do it. If your post did contain some way to store the password and you would add your warning as a sidenote, I would certainly not downvote it. – Nikola Anusev Jun 27 '12 at 18:43
  • OK. Thanks. Now I understand you. I'll look into that for the SQL part of the question. – ispiro Jun 27 '12 at 18:47
  • @NikolaAnusev fair enough- I've added an edit to include the "if you must store connection strings" approach. – Chris Shain Jun 27 '12 at 18:52
  • Windows Authentication (as described here by @Chris ) is the ideal way to avoid storing credentials to resources like SQL Server. Beyond that if you have to store private keys to 3rd party resources (ie. Azure) you can reference Douglas's answer. The short answer is the best data security measure depends on the data and its application. – kingdango Jun 27 '12 at 18:57
  • @Chris I've removed my downvote. Now, at least in my opinion, the answer is really to the point. – Nikola Anusev Jun 27 '12 at 19:04
2

Windows offers the Data Protection API (DPAPI) specifically for this purpose. Look into the ProtectedData class for consuming it from .NET.

The advantage of DPAPI is that your sensitive data is encrypted based on the Windows user’s logon credential, meaning that it is secure unless your Windows account is compromised.

Douglas
  • 53,759
  • 13
  • 140
  • 188