I have the following connection string:
Data Source=Paul-HP\MYDB;Initial Catalog=MyMSDBSQL;Persist Security Info=True;User ID=sa;Password=password
(.net webservice) This can obviously be viewed simply by opening up the app.config file and looking at the configuration settings.
What I need is a way to make a hacker unable to see the password. But at the same time, leave it customisable so that it can be changed when deployed on another database.
You have a number of options - the ones that I am aware of (in order of preference):
So for example the connection string might look like this:
Data Source=Paul-HP\MYDB;Initial Catalog=MyMSDBSQL;Persist Security Info=True;User ID={0};Password={1}
I'd go for option 1, if thats not possible then option 2. I've mentioned option 3 for completeness.
Have you read Protecting Connection Information (ADO.NET)?