2

I currently have an application that connects to a database for user logins.

However, the password is all written in plain text.

This is something that I really don't want. I was wondering if there was any way of creating a SECURE connection string?

I understand that some people have answered this question before but all answers were made 2 years ago. I was wondering if anyone had any newer methods of doing this?

I have seen a lot of answers saying I should have the "trusted-user = true" tag on the connection string. If I'm correct in thinking, this allows a user to connect with their Windows password.

However as I want this to be a login form for my C# application does that mean I would have to trust every machine that connects to the database? This seems also a little insecure.

So I was wondering if there where any better methods of doing this?

Improve this question
4
  • did you looked at stackoverflow.com/questions/9408113/… Commented Apr 13, 2018 at 11:04
  • Trusted connection means that the connection is made using the credentials of the Windows User the application is running under. You don't trust the application, you're trusting the Windows Authentication that has already happened to enable to user to log into their PC, or open the application, etc. Commented Apr 13, 2018 at 11:23
  • "I would have to trust every machine that connects to the database?" the connection is based on windows authenticated user, not machine. If your application is used only within the company, you can use this kind of connection, just add to SQL Server the users from windows domain that need to be allowed to access to the application Commented Apr 13, 2018 at 11:37
  • @RicardoPontual Yeah, the application is going to be used by multiple different people once downloaded. So Having a trusted user can't be an option Commented Apr 13, 2018 at 12:25

2 Answers 2

Reset to default
1

simply create a function and return your password from there don't use ConfigurationManager.ConnectionStrings["WingtipToys"].ConnectionString because its can be view by any text file editor..

use this 

Server=myServerName\myInstanceName;Database=myDataBase;User Id= myUsername();
Password=myPassword();

myUsername and myPassword are method names

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

So What would the myPassword(); function do though? Would it be plain text in there or not? This is where im getting confused. I understand how to connect to a mysql database but how should the password be securely stored?
0

I'd recommend using Windows authentication or Integrated Security for your database connection if you can. This does involve making sure that all users of your application are also setup as users in your database as well. Sometimes that isn't always an option or desirable.

Failing that, I'd choose to have config file encryption so that credentials can't be viewed by a decompiler. This link provides some good information.

Improve this answer

2 Comments

As mentioned in the description and in previous answered questions the windows Authentication isn't an option because it is going to be sent to many users. I don't know who the users are going to be therefore I cant add them to the database.
Sure, so then I'd certain suggest using config file encryption. The link provided gives a reasonable idea as to how and why you would look to do that.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.