How secure the user name and password in the connection string?

sniff_bits picture sniff_bits · Jan 24, 2014 · Viewed 12.9k times · Source

when developing windows applications:

  1. How I secure the user name and password in the connection string?

  2. Organizations like banks, would they give out the user name and password of their DB to application developers? if not typically how those applications developers write the DB Connections?

  3. What is the industry standard to secure user and password in the connection string?

thanks

Answer

Joe picture Joe · Jan 24, 2014
  1. How I secure the user name and password in the connection string?

Either use Windows authentication to eliminate the need for a password in the connection string, or use a combination of one or more of:

Note that the above techniques work well for server applications (e.g. ASP.NET), where access to the server can be restricted to authorized administrators. It doesn't work well for client-side applications that directly access a database.

Note also that encryption on its own is not sufficient: it simply replaces the problem of controlling access to a plaintext configuration file by the problem of controlling access to encryption keys. When using Protected Configuration, you need to decide how to restrict access to the encryption keys used to encrypt your configuration file.

2. Organizations like banks, would they give out the user name and password of their DB to application developers? if not typically how those applications developers write the DB Connections?

In general developers will only be given credentials to access databases in a development / test environment. Access to production databases will be restricted.

3. What is the industry standard to secure user and password in the connection string?

There is no "industry standard", but see answer to question 1.