tags:

views:

58

answers:

1
+1  Q: 

How to handle passwords for i.e. databases or ftp servers in an application

Possible Duplicate:
Ways around putting a password in code

If you create an application that for example connects to a database or an ftp server it needs a username and a password.

How do you recommend storing this?

First and easiest option is of course as plain text in the application, but then I guess it would be quite clear and visible if you somehow decompiled the application (or the application was already in clear text in the case of php etc.). But is there any way around this? Could of course encrypt it, but then you would have to decrypt it which (although I may be wrong) usually requires something like a password or a token of some sort. And then you are back at the beginning, cause where do you store that password/token?

What are some good practices in this area?

+2  A: 

Very similar to this SO question

http://stackoverflow.com/questions/1214582/ways-around-putting-a-password-in-code/1214689#1214689

Since, you did not mention the platform, I am assuming Windows. I am reproducing my answer to that question here.

You have multiple options here.

1.You can hash the password the very first time and store the hash to a file. Now the next time, you want to execute the code with elevated privileges, you need to accept/retype the password and re-compute the hash and match it with the stored hash. Only if it matches will you execute your code in elevation modes. You could hash using SHA. Please look at System.Crytography namespace for examples on hashing.

2.Second option is to encrypt the password using algorithms like AES. However you will need to have a key to do this and you will have to worry about securing this key.

3.Third option is to use DPAPI and encrypt the password but not worry about securing the keys - much easier option than 2.

I would recommend 1 if you do not mind re-entering the password every time the application starts. If that is not a possibility, I would suggest going with 3 and use DPAPI.

Here are some links to get you started.

1.http://www.obviex.com/samples/dpapi.aspx 2. http://www.obviex.com/samples/Encryption.aspx

msvcyc  2009-08-04 13:41:56
The suggestion to hash the password fails to take the rainbow table attack into account. The password must be "salted" before it is hashed. See http://www.codinghorror.com/blog/archives/000949.html
Wim Coenen  2009-08-04 15:14:35
Also, don't copy-paste your own answers if you can link to them.
Wim Coenen  2009-08-04 15:17:44
I will mark this as accepted for the effort anyways. Will read more in the related question :)
Svish  2009-08-04 19:30:09

related questions

Encryption in C# Web-Services
How Do You Secure database.yml?
ASP.NET LocationProvider
What do you (or your company) use for wiping a machine?
Can a proxy server cache SSL GETs? If not, would response body encryption suffice?
Java: What is the best way to SFTP a file from a server
How do I call a Flex SWF from a remote domain using Flash (AS3) ?
Best way to store a database password in a startup script / config file?
Using VM to get around VPN restrictions
Best references for secure coding practices in ASP.NET and classic ASP.
Secure Memory Allocator in C++
Resolving Session Fixation in JBoss
Best Practices for securing a REST API / web service
Defensive programming
Personal Linux web server
Block user access to internals of a site using HTTP_REFERER
Is there an Unobtrusive Captcha for web forms?
My website got hacked... What should I do?
What all do I need to escape when sending a (My)SQL query?
How do you disable browser Autocomplete on web form field / input tag?
Best .NET obfuscation tools/strategy
Are there best practices for testing security in an Agile development shop?
What is the best way to avoid SQL injection attacks?
Found a critical bug, but the company doesn't care
PHP Session Security