How to encrypt and save a password

Question

I am working on the security issue in .net application and I have been reported that My code is vulnerable and I see the issue is the way I store the password

For example:

<add key="RegxxxChannelPassword" value="test"/>
<add key="xxxRegistrationConnStr" value="xxxxxxxxxx;

So my tool was showing that storing the password in plain text is dangerous .

So can I encrpt the password and save it?

Can some one please suggest me if there are any algorithms?

Answer 1

You can encrypt sections of the web.config using aspnet_regiis, but the web.config is a pretty standard place to store passwords and such, as long as the website is deployed to a server that you own. You could also put the values in the registry, but in most cases, that's unnecessary. Here's an article on encrypting web.config sections:

http://msdn.microsoft.com/en-us/library/zhhddkxy%28v=vs.100%29.aspx

If you go that route, you'll run the command to encrypt the web.config as a deployment step, and the application will handle decrypting and using the values on its own.

Answer 2

I'd recommend that you have a look that Rijndael for two-way encryption, if you want to store your password in Web.config: http://msdn.microsoft.com/en-us/library/system.security.cryptography.rijndael.aspx

I agree with @Renan, the proper way to go, is to use MembershipProvider.

Answer 3

It'd be much more simple to use a membership provider. If you're doing the encryption on your own you're reinventing the wheel and disregarding what the framework could do for you.

I suggest you go read about it.

The relevant property of the provider, in this case, is passwordFormat.

Edit: for a moment there I thought you were talking about user passwords. If it's a password for a connection string, it should be in a .config file, like web.config. If you have it in the proper place, VS won't complain about it being unencrypted, since it's content that will never get served to a client anyway.