I'm not referring to passwords that don't have to be used (such as passwords for other users to my site - in which case I really don't have to store them. See https://stackoverflow.com/a/1054069/939213 .) so simply storing hashes is not an option.
I'm referring to storing passwords to an SQL database and a private key that the software on the shared server has to use.
I assume there's no really secure way to do it. I just want to know what's the best in this situation.
I'm trying to keep them secure from hackers (on the same web host or not). Not from others who have permission to see the files.
It's ASP.Net codebehind that will be using them.
The best way to store the password is to not store it. Use integrated (Windows) authentication to connect to SQL Server. This involves running your IIS app pool as a specific (Windows) user, and granting that user access to log into the database and run the needed queries.
See also SQL Server Integrated Authentication Mode
Aside from being more secure, it performs better. Using per-user connection strings defeats connection pooling.
EDIT:
If you absolutely must store the password, then using Encrypted Connection Strings in ASP.NET is the way to go. This takes care of using DPAPI to store the connection string and machine key correctly, reducing the chance that you screw it up and think you've secured it when you haven't.
Also: Encrypting Connection String in web.config
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With