Encrypted Connection
-
Ive been developing a app that uses a sql compact database (3.5). when the app installs the database connection path is designed to be dynamic (ie i dont know if there local drive will be c?) so ive written the follwing (feel free to advise if there is a better way to do this) namespace SomeNameSpace.DataAccess.Help.SQLCommands { internal class ConnectionCommand { internal class GetConnectionCommand() { internal const string LiveDatabase() { private readonly static string xDataSourceAccess = "Data Source=" + System.Windows.Forms.Application.StartupPath + "\\Data\\database.sdf;Password=password1;Persist Security Info=True"; return xDataSourceAccess; } } } } but im concerned about have the password in free text, any example of how i can improve this? thanks
-
Ive been developing a app that uses a sql compact database (3.5). when the app installs the database connection path is designed to be dynamic (ie i dont know if there local drive will be c?) so ive written the follwing (feel free to advise if there is a better way to do this) namespace SomeNameSpace.DataAccess.Help.SQLCommands { internal class ConnectionCommand { internal class GetConnectionCommand() { internal const string LiveDatabase() { private readonly static string xDataSourceAccess = "Data Source=" + System.Windows.Forms.Application.StartupPath + "\\Data\\database.sdf;Password=password1;Persist Security Info=True"; return xDataSourceAccess; } } } } but im concerned about have the password in free text, any example of how i can improve this? thanks
You mean you're concerned that it's plaintext? Well don't worry, it's impossible to actually encrypt it. You can obfuscate it (possibly with encryption, but the key you use for that will have to be stored, unless you encrypt the key in which case you have a new key, and in the end you will always have an unencrypted key) but keep in mind that obfuscating it will tell any hacker who just accidentally comes across it that it is something that you wanted to hide and thus must be something important. So, my advice would be to use the "hide in plain sight" trick - just put it in the AppSettings somewhere, not encrypted, but in separate parts (not the whole string, but only parts, like "password1" or maybe "pass" and "word1" somewhere else to make it look less like a password) Doing any encryption on it will only make it stand out, and it will never make it impossible to get the password unless even your app itself can not get the password either (which is pretty lame)
-
Ive been developing a app that uses a sql compact database (3.5). when the app installs the database connection path is designed to be dynamic (ie i dont know if there local drive will be c?) so ive written the follwing (feel free to advise if there is a better way to do this) namespace SomeNameSpace.DataAccess.Help.SQLCommands { internal class ConnectionCommand { internal class GetConnectionCommand() { internal const string LiveDatabase() { private readonly static string xDataSourceAccess = "Data Source=" + System.Windows.Forms.Application.StartupPath + "\\Data\\database.sdf;Password=password1;Persist Security Info=True"; return xDataSourceAccess; } } } } but im concerned about have the password in free text, any example of how i can improve this? thanks
Encrypt the password in the settings file - as Harold said you can't stop a REALLY determined hacker, but then you aren't interested in a really determined hacker, your customers are only mildly curious about the data in THEIR database and an encrypted password will do 2 things. Supply a reasonable level of security against the power user and assure your customer that you take security seriously. Remember the customer is, well your customer and it is his perceptions you need to cater for.
Never underestimate the power of human stupidity RAH
-
You mean you're concerned that it's plaintext? Well don't worry, it's impossible to actually encrypt it. You can obfuscate it (possibly with encryption, but the key you use for that will have to be stored, unless you encrypt the key in which case you have a new key, and in the end you will always have an unencrypted key) but keep in mind that obfuscating it will tell any hacker who just accidentally comes across it that it is something that you wanted to hide and thus must be something important. So, my advice would be to use the "hide in plain sight" trick - just put it in the AppSettings somewhere, not encrypted, but in separate parts (not the whole string, but only parts, like "password1" or maybe "pass" and "word1" somewhere else to make it look less like a password) Doing any encryption on it will only make it stand out, and it will never make it impossible to get the password unless even your app itself can not get the password either (which is pretty lame)
harold aptroot wrote:
So, my advice would be to use the "hide in plain sight" trick
..That's just bad advice.
Check out the CodeProject forum Guidelines[^] The original soapbox 1.0 is back![^]
-
harold aptroot wrote:
So, my advice would be to use the "hide in plain sight" trick
..That's just bad advice.
Check out the CodeProject forum Guidelines[^] The original soapbox 1.0 is back![^]
Not really, there's nothing better you can do.. If you "encrypt" it, the "encrypted" data will stand out like a fire in the night and coupled with the fact that it's impossible to actually encrypt it the situation would just be worse than if it weren't encrypted (and people would just ignore the data unless they were actively trying to hack it)
-
harold aptroot wrote:
So, my advice would be to use the "hide in plain sight" trick
..That's just bad advice.
Check out the CodeProject forum Guidelines[^] The original soapbox 1.0 is back![^]