Click here to Skip to main content
Click here to Skip to main content

Storing Your Connection String Password in SecureString

, 23 Jun 2012 CPOL
Rate this:
Please Sign up or sign in to vote.
This trick can provide some extra protection for your passwords used in connection strings against runtime attacks.

Introduction

Strings have always been quite interesting for hackers. I have wrote an article about its reasons that could be found here. One of the key victims of this type of attack is ConnectionStrings in memory primarily because it can have database credentials. Typically developers use classes like SqlConnectionStringBuilder or OracleConnectionStringBuilder etc. to build connection strings. The problem is that these classes expose string type Password property to set the password for authenticating users. As I mentioned in my other article (why hackers love string data types), Microsoft has provided SecureString class that provides some protection against runtime attacks targeting strings in memory. However, we couldn't have used this SecureString in context of connection string as the classes like SqlConnectionStringBuilder, OracleConnectionStringBuilder, etc., were still using string data type for password field. With .NET 4.5, this is going to change. In .NET 4.5, Microsoft has introduced a class called SqlCredential. As you can seen below, its constructor takes a SecureString type for password.

public SqlCredential( string userId,  SecureString password )

So now developers have the ability to use SecureString for storing password in connection strings when using SQL authentication. Of course, if possible, using Windows authentication should be preferable as it is more secure.

Lastly, let me be very clear about SecureString, people have found ways of working around SecureString too, so I am not saying that it is perfectly safe, however, it does make cracking a password a bit more difficult (at least for causal hackers).

License

This article, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

Share

About the Author

Kamran Bilgrami
Architect
Canada Canada
Kamran Bilgrami is a seasoned software developer with background in designing mission critical applications for carrier grade telecom networks. More recently he is involved in design & development of real-time biometric based security solutions. His areas of interest include .NET, software security, mathematical modeling and patterns.
 
He blogs regularly at http://WindowsDebugging.Wordpress.com
Follow on   Twitter

Comments and Discussions

 
GeneralMy vote of 5 PinmemberURVISH_SUTHAR16-Sep-13 0:30 

General General    News News    Suggestion Suggestion    Question Question    Bug Bug    Answer Answer    Joke Joke    Rant Rant    Admin Admin   

Use Ctrl+Left/Right to switch messages, Ctrl+Up/Down to switch threads, Ctrl+Shift+Left/Right to switch pages.

| Advertise | Privacy | Terms of Use | Mobile
Web03 | 2.8.141220.1 | Last Updated 23 Jun 2012
Article Copyright 2012 by Kamran Bilgrami
Everything else Copyright © CodeProject, 1999-2014
Layout: fixed | fluid