Where to store UserID/Password

[Fernandez]

Hi,
Where can I store username password information my ASP.NET project.
I am not using any database.
I preferred to store in Application Configuration File.
Suggestions are welcome.
--
Rgds,
Fernandez

[Hernan de Lahitte]

Configuration files are definetly a bad place to store sensitive data like
user credentials. Here you have some guidelines about storing sensitive data
on config files:
[url]http://msdn.microsoft.com/msdnmag/issues/03/11/ProtectYourData/default.aspx[/url]

You don't have a silver bullet here but you should add as many security
levels as you can (defense in deep).
One common approach is to store a regristry path in your config file and
save in that registry entry (with strong ACL) the encrypted data with DPAPI
(local machine mode). You just have a tool that do this here:
[url]http://support.microsoft.com/default.aspx?scid=kb;EN-US;329290[/url]

Then you have to decrypt this data and here you have this sample:

string decryptedData = Encoding.Unicode.GetString( ProtectedData.Decrypt(
registryBytes ) );

ProtectedData is the managed DPAPI wrapper in the Open Source NCrypto
proyect.
registryBytes is the byte array from the registry entry that create the tool
mentioned above.

You may get the NCrypto proyect from here:
[url]http://sourceforge.net/projects/ncrypto/[/url]


--
Hernan de Lahitte
Lagash Systems S.A.
[url]http://weblogs.asp.net/hernandl[/url]


This posting is provided "AS IS" with no warranties, and confers no rights.

"Fernandez" <Fernandez@discussions.microsoft.com> wrote in message
news:48ECBF4D-BB12-435A-A503-22F6795E2E0F@microsoft.com...

> Hi,
> Where can I store username password information my ASP.NET project.
> I am not using any database.
> I preferred to store in Application Configuration File.
> Suggestions are welcome.
> --
> Rgds,
> Fernandez