Passing password through database how to make it secure

Question

I'm working on an application that has being run on several servers. One of the servers handles the input and the others execute it. As by company policy everything has to pass through the database and sockets between instances are disallowed.

Now this works fine for everything but one thing that worries me is the password. I'm currently implementing something that requires a user password to arrive at one of these applications in plain text. Now I understand this will never be 100% secure but is how do I minimize the risk? Currently I plan on putting the pw in the database and wiping it from the db once it has arrived. Logs are deleted once a day. How can I further this security wise?

Answer 1

You can use this method to encrypt the password :

     public string Encrypt(string stringToEncrypt, string SEncryptionKey)
        {
                key = System.Text.Encoding.UTF8.GetBytes(SEncryptionKey);
                DESCryptoServiceProvider des = new DESCryptoServiceProvider();
                byte[] inputByteArray = Encoding.UTF8.GetBytes(stringToEncrypt);
                MemoryStream ms = new MemoryStream();
                CryptoStream cs = new CryptoStream(ms, des.CreateEncryptor(key, IV), CryptoStreamMode.Write);
                cs.Write(inputByteArray, 0, inputByteArray.Length);
                cs.FlushFinalBlock();
                return Convert.ToBase64String(ms.ToArray());              
        }

by using:

  private byte[] key = { };
  private byte[] IV = { 0x12, 0x34, 0x56, 0x78, 0x90, 0xab, 0xcd, 0xef };

And then you can insert in database

 password = ...
 password = Encrypt(password.Trim(), "r0b1nr0y");

// Insert in db

and for decryption, you can use this method:

public string Decrypt(string stringToDecrypt, string sEncryptionKey)
{
        byte[] inputByteArray = new byte[stringToDecrypt.Length + 1];
        key = System.Text.Encoding.UTF8.GetBytes(sEncryptionKey);
        DESCryptoServiceProvider des = new DESCryptoServiceProvider();
        inputByteArray = Convert.FromBase64String(stringToDecrypt);
        MemoryStream ms = new MemoryStream();
        CryptoStream cs = new CryptoStream(ms, des.CreateDecryptor(key, IV), CryptoStreamMode.Write);
        cs.Write(inputByteArray, 0, inputByteArray.Length);
        cs.FlushFinalBlock();
        System.Text.Encoding encoding = System.Text.Encoding.UTF8;
        return encoding.GetString(ms.ToArray());
}

Answer 2

If it is not possible to hash the password, because you need the password as plain text (what I'm guessing of your question), then You could store the password encrypted in the column. All the applications on the different servers needs to share the decryption key within the config.

By the way: I would also use encrypted SQL connection to protect against sniffing.