Is it absolutely necessary to encrypt a connection string?

Question

I'm accessing a WCF service (hosted on Azure) from a Windows Phone 7 app and currently the connection string to the database is stored in the WCF web config file in plain text.

After doing some reading online - I'm just confused. What exactly are the reasons I should encrypt my connection string if the service is tucked away on Azure?

Thanks!

it is for security freaks - for instance if someone, somehow, hacks the IIS and gets read accesses to your web.config (which might also happen with an erroneous IIS Configuration), then one will see your plain texted conn string. — astaykov, Oct 01 '12 at 12:56
...and then hope that you've dropped the entire ip address range on your SQL Database firewall. — Richard Astbury, Oct 01 '12 at 15:23
Here's why it can be a good idea http://stackoverflow.com/a/11208047/57428 — sharptooth, Oct 02 '12 at 07:59

score 2 · Accepted Answer · answered Oct 01 '12 at 13:07

2

No, it is not

Absolutely Necessary

The next question is why not encrypt it? It is easy to do and the 'whole' security best practice is: dont make it easy for the bad guys. Personally, I agree with astaykov, but professionally, I would encrypt it.

answered Oct 01 '12 at 13:07

John E

166
1
10

It's more a case of could I get away with doing it later on in the project? Which by the sounds of it is a yes. Thank you. – user1567095 Oct 01 '12 at 13:27

Is it absolutely necessary to encrypt a connection string?

1 Answers1