Where to store password in runtime?

Question

My asp.net web application is reading and decrypting the password from a XML file in App_start event of Global.asax. But where should I store this password afterwards ? Would it be enough just store it in a static public variable or rather the application object ?

EDIT: Its a Database password

Answer 1

SecureString is what you are looking for.

Never ever use a simple string object as it's not encrypted and can survive different garbage collections, which means your password will be flying all over the memory for a long time and you won't have control over it unless you dynamically assign GB Generation which can be quite evil. SecureString, instead, is automatically deleted when no longer in use.

On the other hand when storing a password in the web.config always ENCRYPT it. You can use aspnet_regiis.exe for this. (It comes as part of the .NET Framework tools).

So, assuming you are storing the password within an xml element called "DBAccessPassword" The encryption command would look something like this.

aspnet_regiis.exe -pe "DBAccessPassword" -app "/yourApp"

This is a very useful technique that could really makes the difference if, for example, your application is vulnerable to a Path Traversal Vulnerability. Encrypting a password is always a good idea as it adds an additional layer of security to your application.

Performances

aspnet_regiis uses RSA by default. RSA it is an asymmetric algorithm and because of this, depending of the amount of time you retrieve your password, it could lead to a performance problem. Symmetric-key algorithms are generally much less computationally intensive than asymmetric key algorithms. In practice, asymmetric key algorithms are typically hundreds to thousands times slower than symmetric key algorithms.

Depending on the type of your application you would also consider using a different algorithm.

Answer 2

You could store the password in the Application object.

However, my personal preference is to add a public static property to the Global class to access application-level data. That will give you Intellisense support, give you type safety (you could "accidentally" overwrite your password in the Application object with data of another type, for example), and make it easier to maintain your application later.

Answer 3

If you're that worried about it, use a SecureString in the Application object. However, I feel compelled to warn you that encrypted passwords in config files are a maintenance nightmare. You should really reconsider storing it in plain text in the web.config and simply denying access to the web.config file for all but sysadmins and the asp.net worker process user (probably NETWORK SERVICE)

Answer 4

Why is it necessary to encrpyt the password? Is it unfeasible to store it in plain text in a connection string in the web.config?

Answer 5

Store it in the Application object. Since you're doing this in the Application_Start event in Global.asax, it will be available to your entire application whenever you need it. Also, by storing it in the Application object, you're not exposing it to the client side by using cookies, viewstate, etc.

// set it
Application["MyPassword"] = myDecryptedPassword;

And to retrieve it elsewhere in your app:

// get it
string myDecryptedPassword = Application["MyPassword"].ToString();

Answer 6

Why do you need the password during the entire session? Create a cookie or a session value and set a flag when the user logs in. You can then use this value to check if the user is logged in.