Click here to Skip to main content
13,292,205 members (56,039 online)
Click here to Skip to main content
Add your own
alternative version


12 bookmarked
Posted 23 Jun 2012

Storing Your Connection String Password in SecureString

, 23 Jun 2012
Rate this:
Please Sign up or sign in to vote.
This trick can provide some extra protection for your passwords used in connection strings against runtime attacks.


Strings have always been quite interesting for hackers. I have wrote an article about its reasons that could be found here. One of the key victims of this type of attack is ConnectionStrings in memory primarily because it can have database credentials. Typically developers use classes like SqlConnectionStringBuilder or OracleConnectionStringBuilder etc. to build connection strings. The problem is that these classes expose string type Password property to set the password for authenticating users. As I mentioned in my other article (why hackers love string data types), Microsoft has provided SecureString class that provides some protection against runtime attacks targeting strings in memory. However, we couldn't have used this SecureString in context of connection string as the classes like SqlConnectionStringBuilder, OracleConnectionStringBuilder, etc., were still using string data type for password field. With .NET 4.5, this is going to change. In .NET 4.5, Microsoft has introduced a class called SqlCredential. As you can seen below, its constructor takes a SecureString type for password.

public SqlCredential( string userId,  SecureString password )

So now developers have the ability to use SecureString for storing password in connection strings when using SQL authentication. Of course, if possible, using Windows authentication should be preferable as it is more secure.

Lastly, let me be very clear about SecureString, people have found ways of working around SecureString too, so I am not saying that it is perfectly safe, however, it does make cracking a password a bit more difficult (at least for causal hackers).


This article, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)


About the Author

Kamran Bilgrami
Canada Canada
Kamran Bilgrami is a seasoned software developer with background in designing mission critical applications for carrier grade telecom networks. More recently he is involved in design & development of real-time biometric based security solutions. His areas of interest include .NET, software security, mathematical modeling and patterns.

He blogs regularly at

You may also be interested in...

Comments and Discussions

GeneralMy vote of 5 Pin
URVISH_SUTHAR16-Sep-13 0:30
memberURVISH_SUTHAR16-Sep-13 0:30 

General General    News News    Suggestion Suggestion    Question Question    Bug Bug    Answer Answer    Joke Joke    Praise Praise    Rant Rant    Admin Admin   

Use Ctrl+Left/Right to switch messages, Ctrl+Up/Down to switch threads, Ctrl+Shift+Left/Right to switch pages.

Permalink | Advertise | Privacy | Terms of Use | Mobile
Web02 | 2.8.171207.1 | Last Updated 23 Jun 2012
Article Copyright 2012 by Kamran Bilgrami
Everything else Copyright © CodeProject, 1999-2017
Layout: fixed | fluid