How secure the user name and password in the connection string?

c# database ado.net sqlconnection
14,745

Solution 1

  1. How I secure the user name and password in the connection string?

Either use Windows authentication to eliminate the need for a password in the connection string, or use a combination of one or more of:

Note that the above techniques work well for server applications (e.g. ASP.NET), where access to the server can be restricted to authorized administrators. It doesn't work well for client-side applications that directly access a database.

Note also that encryption on its own is not sufficient: it simply replaces the problem of controlling access to a plaintext configuration file by the problem of controlling access to encryption keys. When using Protected Configuration, you need to decide how to restrict access to the encryption keys used to encrypt your configuration file.

2. Organizations like banks, would they give out the user name and password of their DB to application developers? if not typically how those applications developers write the DB Connections?

In general developers will only be given credentials to access databases in a development / test environment. Access to production databases will be restricted.

3. What is the industry standard to secure user and password in the connection string?

There is no "industry standard", but see answer to question 1.

Solution 2

You can encrypt sections in the app.config in the same way as web.config. MS calls it Protected Configuration. Like this

<connectionStrings configProtectionProvider="DataProtectionConfigurationProvider">
  <EncryptedData>
    <CipherData>
      <CipherValue>AQAAANCMnd8BFdERjHoAwE/Cl+sBAAAAH2... </CipherValue>
    </CipherData>
  </EncryptedData>
</connectionStrings>
Share:
14,745
sniff_bits
Author by

sniff_bits

Updated on June 19, 2022

Comments

  • sniff_bits
    sniff_bits almost 2 years

    when developing windows applications:

    1. How I secure the user name and password in the connection string?

    2. Organizations like banks, would they give out the user name and password of their DB to application developers? if not typically how those applications developers write the DB Connections?

    3. What is the industry standard to secure user and password in the connection string?

    thanks

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

C# connect to database and list the databases
How to pass ADO.NET DataSet to a view
Creating a new database (.mdb) with ADO.NET
Connection pool with possible severed connections
CommandType.Text vs CommandType.StoredProcedure
Is SqlCommand.Dispose() required if associated SqlConnection will be disposed?
Should I be using SqlDataReader inside a "using" statement?
How to run multiple SQL commands in a single SQL connection?
Check if SQL Connection is Open or Closed
Under what circumstances is an SqlConnection automatically enlisted in an ambient TransactionScope Transaction?