Click here to Skip to main content
Rate this: bad
good
Please Sign up or sign in to vote.
See more: C#
What is the accepted way for a desktop application to store the user name and password that it uses to access a remote database?
 
I have searched, but found only articles about storing passwords in the database.
Posted 20-Jul-11 12:54pm
Rate this: bad
good
Please Sign up or sign in to vote.

Solution 2

Have the application call a web service that has the stored password. Never store passwords on a user's computer.
  Permalink  
Comments
Richard Andrew x64 at 20-Jul-11 18:40pm
   
How does this prevent a unauthorized user from retrieving the password?
AspDotNetDev at 20-Jul-11 18:50pm
   
The web service would run on a server that you control rather than on a user's computer.
Richard Andrew x64 at 20-Jul-11 18:54pm
   
But what prevents the unauthorized user from calling the web service? I'm sorry if I'm missing something obvious. Thanks for your help.
AspDotNetDev at 20-Jul-11 18:56pm
   
That's an entirely different matter. You can either authenticate a user (e.g., they have a username/password they must type in, which is different from the database connection password) or your web service only provides methods that are low risk.
Rate this: bad
good
Please Sign up or sign in to vote.

Solution 4

I would suggest to store the password in the app.config/web.config in the connection string and in the encrypted format.
 
See the following articles which demonstrates storing connection strings in encrypted format in config file
 
How to: Secure Connection Strings When Using Data Source Controls [^]
 
Encryption of Connection Strings Inside the Web.config in ASP.NET 2.0 [^]
 
Hope you find this as useful.
  Permalink  
Comments
SAKryukov at 21-Jul-11 12:29pm
   
Agree, a 5; please also see my solution.
--SA
Rate this: bad
good
Please Sign up or sign in to vote.

Solution 5

Please check this great tips out: Password Storage: How to do it.[^]
  Permalink  
Comments
SAKryukov at 21-Jul-11 12:27pm
   
Good reference, my 5. That said: never store passwords in its original form. Please see my solution.
--SA
Uday P.Singh at 21-Jul-11 12:35pm
   
nice link my 5 too!!
Kim Togo at 24-Jul-11 8:22am
   
Thanks
Rate this: bad
good
Please Sign up or sign in to vote.

Solution 1

Well, if you are accessing a remote database, wouldnt you have a user table in there? Otherwise, look at using hashing. A hash cant be reversed, so it is impossible for a "hacker" to get the password. .Net has built in libraries to help with hashing.
 
http://msdn.microsoft.com/en-us/library/system.security.cryptography.sha1.aspx[^] -- SHA1 - Newer and considered more secure.
 
http://msdn.microsoft.com/en-us/library/system.security.cryptography.md5.aspx[^] -- MD5 - Still reliable if you ask me..
 
Hope this helps.
 
P.S - When the user tries to log in, you will generate a hash and compare it to the already hashed password. The only place that I can think will be safe to store this is in a database or authenticate via a web service.
  Permalink  
v3
Comments
Richard Andrew x64 at 20-Jul-11 18:39pm
   
I'm talking about the password for the database itself. It has to be stored on the client machine. But what is the preferred method?
SAKryukov at 21-Jul-11 12:28pm
   
I voted 4. MD5 is considered broken. Please see my solution.
--SA
Rate this: bad
good
Please Sign up or sign in to vote.

Solution 3

Try using credential manager msdn.microsoft.com/en-us/library/aa480470.aspx
  Permalink  
Rate this: bad
good
Please Sign up or sign in to vote.

Solution 6

You should never store passwords anywhere. If you think about it, the password itself is not needed for authentication. Let's consider the simplest approach: you apply cryptographic hash function (http://en.wikipedia.org/wiki/Cryptographic_hash_function[^]) to a password and stored its hashed version only.
 
When the user supplied a password for authentication, you apply the same exact hash function to it and compare the hashed data. Do to the properties of the cryptographic hash functions, nobody can revert it to obtain an original password, so it is kept private to the user.
 
Warning! Do not use MD5 as it is found to be broken. See http://en.wikipedia.org/wiki/MD5[^]. Use one of the functions from the SHA family, see http://en.wikipedia.org/wiki/SHA-2[^]. Those functions are well implemented in .NET, see what's available here: http://msdn.microsoft.com/en-us/library/system.security.cryptography.hashalgorithm%28v=VS.100%29.aspx[^].
 
Of course you can apply more "serious" encryption to the passwords, but the main idea is: you never store original password; and you don't know them, only the users know.
 
—SA
  Permalink  
Comments
AspDotNetDev at 21-Jul-11 12:34pm
   
The question was not about storing user passwords, it was about storing the password to access the database. See my answer.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

  Print Answers RSS
0 OriginalGriff 304
1 Maciej Los 285
2 Sergey Alexandrovich Kryukov 255
3 Shweta N Mishra 216
4 PIEBALDconsult 174
0 OriginalGriff 7,660
1 Sergey Alexandrovich Kryukov 7,072
2 DamithSL 5,604
3 Manas Bhardwaj 4,986
4 Maciej Los 4,760


Advertise | Privacy | Mobile
Web03 | 2.8.1411023.1 | Last Updated 21 Jul 2011
Copyright © CodeProject, 1999-2014
All Rights Reserved. Terms of Service
Layout: fixed | fluid

CodeProject, 503-250 Ferrand Drive Toronto Ontario, M3C 3G8 Canada +1 416-849-8900 x 100