Click here to Skip to main content
15,849,163 members
Please Sign up or sign in to vote.
0.00/5 (No votes)
See more:
What is the accepted way for a desktop application to store the user name and password that it uses to access a remote database?

I have searched, but found only articles about storing passwords in the database.
Posted

Have the application call a web service that has the stored password. Never store passwords on a user's computer.
 
Share this answer
 
Comments
Richard Andrew x64 20-Jul-11 18:40pm    
How does this prevent a unauthorized user from retrieving the password?
AspDotNetDev 20-Jul-11 18:50pm    
The web service would run on a server that you control rather than on a user's computer.
Richard Andrew x64 20-Jul-11 18:54pm    
But what prevents the unauthorized user from calling the web service? I'm sorry if I'm missing something obvious. Thanks for your help.
AspDotNetDev 20-Jul-11 18:56pm    
That's an entirely different matter. You can either authenticate a user (e.g., they have a username/password they must type in, which is different from the database connection password) or your web service only provides methods that are low risk.
I would suggest to store the password in the app.config/web.config in the connection string and in the encrypted format.

See the following articles which demonstrates storing connection strings in encrypted format in config file

How to: Secure Connection Strings When Using Data Source Controls [^]

Encryption of Connection Strings Inside the Web.config in ASP.NET 2.0 [^]

Hope you find this as useful.
 
Share this answer
 
Comments
Sergey Alexandrovich Kryukov 21-Jul-11 12:29pm    
Agree, a 5; please also see my solution.
--SA
Please check this great tips out: Password Storage: How to do it.[^]
 
Share this answer
 
Comments
Sergey Alexandrovich Kryukov 21-Jul-11 12:27pm    
Good reference, my 5. That said: never store passwords in its original form. Please see my solution.
--SA
Uday P.Singh 21-Jul-11 12:35pm    
nice link my 5 too!!
Kim Togo 24-Jul-11 8:22am    
Thanks
Well, if you are accessing a remote database, wouldnt you have a user table in there? Otherwise, look at using hashing. A hash cant be reversed, so it is impossible for a "hacker" to get the password. .Net has built in libraries to help with hashing.

http://msdn.microsoft.com/en-us/library/system.security.cryptography.sha1.aspx[^] -- SHA1 - Newer and considered more secure.

http://msdn.microsoft.com/en-us/library/system.security.cryptography.md5.aspx[^] -- MD5 - Still reliable if you ask me..

Hope this helps.

P.S - When the user tries to log in, you will generate a hash and compare it to the already hashed password. The only place that I can think will be safe to store this is in a database or authenticate via a web service.
 
Share this answer
 
v3
Comments
Richard Andrew x64 20-Jul-11 18:39pm    
I'm talking about the password for the database itself. It has to be stored on the client machine. But what is the preferred method?
Sergey Alexandrovich Kryukov 21-Jul-11 12:28pm    
I voted 4. MD5 is considered broken. Please see my solution.
--SA
Try using credential manager msdn.microsoft.com/en-us/library/aa480470.aspx
 
Share this answer
 
You should never store passwords anywhere. If you think about it, the password itself is not needed for authentication. Let's consider the simplest approach: you apply cryptographic hash function (http://en.wikipedia.org/wiki/Cryptographic_hash_function[^]) to a password and stored its hashed version only.

When the user supplied a password for authentication, you apply the same exact hash function to it and compare the hashed data. Do to the properties of the cryptographic hash functions, nobody can revert it to obtain an original password, so it is kept private to the user.

Warning! Do not use MD5 as it is found to be broken. See http://en.wikipedia.org/wiki/MD5[^]. Use one of the functions from the SHA family, see http://en.wikipedia.org/wiki/SHA-2[^]. Those functions are well implemented in .NET, see what's available here: http://msdn.microsoft.com/en-us/library/system.security.cryptography.hashalgorithm%28v=VS.100%29.aspx[^].

Of course you can apply more "serious" encryption to the passwords, but the main idea is: you never store original password; and you don't know them, only the users know.

—SA
 
Share this answer
 
Comments
AspDotNetDev 21-Jul-11 12:34pm    
The question was not about storing user passwords, it was about storing the password to access the database. See my answer.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)



CodeProject, 20 Bay Street, 11th Floor Toronto, Ontario, Canada M5J 2N8 +1 (416) 849-8900