tags:

views:

304

answers:

4
+4  Q: 

How to securely store database connection details

In an application that needs to open a database connection, the username/password details must be sent to the database. What is the most secure way of storing, and using, this data?

+2  A: 

The exact method depends on the environment, but in general, you store the credentials in a location which is only readable by the user that your application is running as. For example on Windows you would store the credentials in the registry in a location protected by an ACL so that only that user could read it. Optionally, you could use the DPAPI to encrypt the data so it was further protected. In Unix, you would store it in a file that was protected with chmod (and optionally encrypted) so that only the app could read it.

1800 INFORMATION  2009-05-05 09:34:09
+1  A: 

That depends on the database you're using. For Microsoft SQL Server you either encrypt the database connection string in the configuration or you use integrated security, where you connect to the database using the identity of the application you're connecting from.

Ronald Wildenberg  2009-05-05 09:34:23
A: 

not in your source code but instead in a separate file read by your application. then use system security to make this file only readable by the application user

chburd  2009-05-05 09:34:40
+1  A: 

Excellent question.
It's an issue with which we've grappled - and come up with a variety of approaches.

The first answer is to go with 1800 INFORMATION's suggestion:

put it in an area only readable by the userid running your application.

I don't think you'll get a better all-round solution than this.

Other methods we've toyed with (and rejected):

  • Save it in an encrypted file
    • this only works if the attacker can't get to your code to see how the encryption works, so not so good most of the time.
  • Save it in the database and require a human to log on to start the application
    • this works, as long as you are in a position to have a real person start up the application all the time
  • Rely on built-in security devices, such as those in .NET (see rwwilden's answer).
    • this is a good solution if you are, e.g. a Microsoft shop.
AJ  2009-05-06 11:32:06

related questions

What language do you use for Postgresql triggers and stored procedures?
Are Multiple DataContext classes ever appropriate?
Which tools do people use to create Data Dictionaries?
Any experiences with Protocol Buffers?
Mechanisms for tracking DB schema changes
How big can a MySQL database get before performance starts to degrade.
How do I index a database field
How does database indexing work?
How do I connect to a database and loop over a recordset in C#?
Editing database records by multiple users
Object Oriented vs Relational Databases
VFP .NET OLEdb provider does not work in Win 64-Bits. Help
Embedded Database for .net that can run off a network
Connect PHP to an AS/400
Swap unique indexed column values in database.
cx_Oracle - what is the best way to iterate over a result set?
cx_Oracle - How do I access Oracle from Python?
.NET Migrations Engine
Is there a version control system for database structure changes?
SQLite and XSD
How do I version my MS SQL database in SVN?
XSD DataSets and ignoring foreign keys
Flat File Databases in PHP
Throw Error In MySQL Trigger
Binary Data in MySQL