Send email in secure way

Question

I'm trying to make a simple application which will send an email. I use MailMessage and SmtpClient classes. SmpClient requires a login and password to work.

• Is it secure to compile application with login/password in simple string?
• Is this possible to disassemble this, and get password?
• How to hide it from potential attacker?
• Is this possible to send email w/o using login/password?

Answer 1

Yes, storing the password in plain text anywhere in your application is unsafe. Don't do it!

Instead, you should store the password encrypted in your App.config file (or somewhere else in a configuration file, machine.config for example):

Encrypting and Decrypting ApplicationConfigSections

Alternatively you could ask the user at runtime for the credentials.

If you want to avoid explicitly providing a password, you can authenticate via Windows authentication of the currently logged on user. For this you can use SmtpClient.UseDefaultCredentials for sending the mail. Of course this only works if the SmtpServer recognizes the users windows credentials.

---

If you want to be secure from man-in-the-middle attacks and packet sniffing, you should use SSL to transmit the authentication data. You can do this by enabling SSL in the configuration or just setting the property yourself: SmtpClient.EnableSsl. (.NET >= 4.0)