Avoid Plain Text Passwords or Other Sensitive Data in Configuration Files

- J.D. Meier, Carlos Farre, Jason Taylor, Prashant Bansode, Steve Gregersen, Madhu Sundararajan, Rob Boucher

Avoid putting any sensitive information in the configuration files or within code. If you have to store user credentials or any other sensitive information in the configuration sections, encrypt the configuration sections by using one of the protected configuration providers. The sensitive Information should not be stored in plaintext, because an attacker that can compromise a server will be able to read those credentials unless they are adequately protected.

In .NET version 2.0 and later there are two libraries that provide encryption facilities for connection strings, DPAPI and RSA. If your application is deployed in a Web farm, you should use the RSA protected configuration provider due to the ease with which RSA keys can be exported. Otherwise you should use the DPAPI protected configuration provider.

Additional Resources

Last edited Jun 12, 2008 at 11:34 PM by prashantbansode, version 1


No comments yet.