Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How secure the user name and password in the connection string?

when developing windows applications:

  1. How I secure the user name and password in the connection string?

  2. Organizations like banks, would they give out the user name and password of their DB to application developers? if not typically how those applications developers write the DB Connections?

  3. What is the industry standard to secure user and password in the connection string?

thanks

like image 281
sniff_bits Avatar asked Jan 24 '14 07:01

sniff_bits


People also ask

How do you secure your connection string information?

The best way to secure the database connection string is to encrypt the value within the configuration file. The application would then load the encrypted value from the config file, decrypt the value, and then use the decrypted value as the connection string to connect to the database.

Should password in connection string should be encrypted?

It means that connection specific information such as database name, username, and password are stored as a clear text in a file. This is definitely a security concern for your Production servers. This is why the connection strings should be encrypted.

Why we use integrated security in connection string?

You can use Windows Integrated Security when defining the connection strings to the Identity Center database. The purpose of using the Windows Integrated Security is to avoid storing the database login password in files. Even though this information is encrypted, anyone with access to the file system and the keys.


2 Answers

  1. How I secure the user name and password in the connection string?

Either use Windows authentication to eliminate the need for a password in the connection string, or use a combination of one or more of:

  • Encryption, e.g. using Protected Configuration.

  • Restrict access to the configuration file, e.g. using an ACL.

Note that the above techniques work well for server applications (e.g. ASP.NET), where access to the server can be restricted to authorized administrators. It doesn't work well for client-side applications that directly access a database.

Note also that encryption on its own is not sufficient: it simply replaces the problem of controlling access to a plaintext configuration file by the problem of controlling access to encryption keys. When using Protected Configuration, you need to decide how to restrict access to the encryption keys used to encrypt your configuration file.

2. Organizations like banks, would they give out the user name and password of their DB to application developers? if not typically how those applications developers write the DB Connections?

In general developers will only be given credentials to access databases in a development / test environment. Access to production databases will be restricted.

3. What is the industry standard to secure user and password in the connection string?

There is no "industry standard", but see answer to question 1.

like image 199
Joe Avatar answered Nov 14 '22 23:11

Joe


You can encrypt sections in the app.config in the same way as web.config. MS calls it Protected Configuration. Like this

<connectionStrings configProtectionProvider="DataProtectionConfigurationProvider">
  <EncryptedData>
    <CipherData>
      <CipherValue>AQAAANCMnd8BFdERjHoAwE/Cl+sBAAAAH2... </CipherValue>
    </CipherData>
  </EncryptedData>
</connectionStrings>
like image 27
Jitendra Avatar answered Nov 15 '22 01:11

Jitendra