MVC4 storing and recalling user password

Question

Current I'm working on an a project using MVC4 in which we have a service reference looking into the Database to return our content. The service reference requires me to provide the username/password each time I make a call.

What would be best practices for this? Should I encrypt the password then save it to a cookie or should I issue the user an Auth Token? Or would there be a third option?

Answer 1

First. Don't. Just don't. NEVER ever ever ever ever ever ever store the users password. Never. I mean it. Never. Under no circumstances. There are no mitigating factors. There is nothing so important that you should ever break this rule. Ever. If your only choice is to break this rule (say, from a third party service that you don't control), then refuse to do it. Make someone, somewhere budge on it. Quit your job if you have to. I'm that serious.

If you save the users password, you are breaking the trust between the user and the software. You're making passwords discoverable, if hacked, and those passwords can be re-used to do nasty things (such as getting into someones bank account and taking all their money). If you save passwords, you are part of the internet security problem as a whole. I don't care how small you think you are, or how irrelevant the data might be. Someones password controls access to many important things you may not know about.

So don't do it. Just don't.

Now, on to solving your real problem. How to deal with this issue varies depending on the situation. Is this service on the same domain as the web server? Is it under your control? Can you change the interface? Are you developing the service? Please explain the circumstances.