views:

21

answers:

1

What is the Best practice of dynamic changing password for this scenario?

The scenario is:

There are three web apps using ASP.NET.

App1 checks the passwords of app2/app3 to authenticate the identity, and if app2/app3 is authenticated then app1 is allowed to receive information from App2 and App3.

And app1 has to change the passwords of app2/app3 every two hour for security reason.

Is it possible that there is a way to implement this scenario without app1 saving the passwords of app2/app3 for security reason?

Or is there any best practice for dynamic changing password scenario?

+1  A: 

This sounds like a nightmare. What exactly is the point of changing the password every 2 or 3 hours and then automating it? This will only accomplish two things:

1) Open up a new vector of attack to your system. It will probably be MORE vulnerable. 2) Bring your app to a screeching halt when things get out of sync.

I'm fairly certain there are not "best practices" for this sort of thing because it's a bad idea in general.

Bryan
Thanks. I will re-consider this idea.
Mike108