tags:

views:

236

answers:

2
Q: 

Storing passwords in Castle Windsor configuration file?

I have the following:

interface IDefectRepository { /* ... */ }
class MyDefectRepository : IDefectRepository
{
    public MyDefectRepository(string url, string userName, string password)
    {
        // ...
    }

    // ...
}

I'm using <parameters> to pass the constructor parameters from Web.config. Is there any way that I can store the password encrypted in the Web.config file? Other suggestions?

+1  A: 

Try inheriting MyDefectRepositoryWithEncryptedPasswords from MyDefectRepository. In the MyDefectRepositoryWithEncryptedPasswords constructor decrypt the password and pass it to the MyDefectRepository constructor, like so:

class MyDefectRepositoryWithEncryptedPasswords : MyDefectRepository
{
    public MyDefectRepositoryWithEncryptedPasswords(string url, string userName, string encryptedPassword)
        : base(url, userName, Decrypt(encryptedPassword))
    {
    }

    public static string Decrypt(string encrypted)
    {
        // Do whatever...
    }
}

Anyway, I don't think you should store encrypted passwords with two-way encryption methods. You should use some sort of hashing (of the cryptographic kind) and compare the hashes. That would require changing your constructor to receive not the password, but its hash.

Martinho Fernandes  2009-03-11 11:17:46
+1 Never store recoverable passwords if all you ever need to do is authenticate a password. Store cryptographic hashes of the password instead.
Arnold Spence  2009-03-11 13:20:13
Can't do that: it's the other end that needs the password, and I need to provide it. Think of it as MyRemoteDefectRepository.
Roger Lipscombe  2009-03-11 15:44:41
@Roger: I thought of that and that's why I suggested the subclass/wrapper solution in the first place. Just don't forget to use an secure channel to transmit the password.
Martinho Fernandes  2009-03-12 11:54:35
+1  A: 

You could inject the password via a ISubDependencyResolver (sample1, sample2) which would get the password from an encrypted section in your web.config.

Mauricio Scheffer  2009-03-11 23:54:14
I like this idea. Quite simple, elegant, and most important - transparent to the upper (or inner, depends on your architecture) layers.
Krzysztof Koźmic  2009-03-13 15:45:22

related questions

What are some good security questions?
What's a good alternative to security questions?
Protect embedded password
How do you generate passwords?
Should I impose a maximum length on passwords?
How best to generate a random string in Ruby
What is the best way to check the strength of a password?
In a client-server application: How to send to the DB the user's application password?
How does your company manage credentials?
Replacing plain text password for app
How to implement password protection for individual files?
Password generation, best practice
Unique key generation
Generating Random Passwords
Oracle lost sysdba password
How does one decrypt a PDF with an owner password, but no user password?
Storing Windows passwords.
How do I avoid having the database password stored in plaintext in sourcecode?
How do I write Firefox add-on that automatically enters proxy passwords?
How to store passwords in Winforms application?
Two-way password encryption without ssl
Disable browser 'Save Password' functionality
Simple password encryption
Best way to store a database password in a startup script / config file?
Encrypting Passwords