Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

What's the best way to store a password or private key on a web host?

I'm not referring to passwords that don't have to be used (such as passwords for other users to my site - in which case I really don't have to store them. See https://stackoverflow.com/a/1054069/939213 .) so simply storing hashes is not an option.

I'm referring to storing passwords to an SQL database and a private key that the software on the shared server has to use.

I assume there's no really secure way to do it. I just want to know what's the best in this situation.

I'm trying to keep them secure from hackers (on the same web host or not). Not from others who have permission to see the files.

It's ASP.Net codebehind that will be using them.

like image 613
ispiro Avatar asked Jun 27 '12 18:06

ispiro


1 Answers

The best way to store the password is to not store it. Use integrated (Windows) authentication to connect to SQL Server. This involves running your IIS app pool as a specific (Windows) user, and granting that user access to log into the database and run the needed queries.

See also SQL Server Integrated Authentication Mode

Aside from being more secure, it performs better. Using per-user connection strings defeats connection pooling.

EDIT:

If you absolutely must store the password, then using Encrypted Connection Strings in ASP.NET is the way to go. This takes care of using DPAPI to store the connection string and machine key correctly, reducing the chance that you screw it up and think you've secured it when you haven't.

Also: Encrypting Connection String in web.config

like image 149
Chris Shain Avatar answered Sep 21 '22 14:09

Chris Shain