Where should I store credentials
-
Hello folks, I want to store login credentials for a SMTP server which should be stored encrypted. In your opinion: Where should I store the credentials? How they should be secured? Why do you think should I use your suggestion? greetings Nico
Hi Nico, You can store the credentials in SQL Database. They can be secured by using Hash encryption (one way encryption).
-
Hello folks, I want to store login credentials for a SMTP server which should be stored encrypted. In your opinion: Where should I store the credentials? How they should be secured? Why do you think should I use your suggestion? greetings Nico
I guess it is your application which tries to communicate with the SMTP server. Hence the application must be able to retireve the clear text password when connecting to the server. Consequently, you cannot hash the password, but you must encrypt it. This also adds the question of how to store the key and the salt value. Next question is: who configures your application? Is it the "user" who enters his personal SMTP credentials or is it an administrator of the user's company who does so (and applies the same configuration to all installations of the application in the company)? Depending on the answer, you may use a user-specific settings file, a program specific settings file, the *.exe.config file, store data in a database, etc... Also note that the .exe.config file contains a connectionStrings section, which can be "automatically" encrypted and also used for this purpose.
-
Hi Nico, You can store the credentials in SQL Database. They can be secured by using Hash encryption (one way encryption).
That won't work. See Bernard's message below for why it won't. Cheers, Peter
Software rusts. Simon Stephenson, ca 1994. So does this signature. me, 2012
-
Hi Nico, You can store the credentials in SQL Database. They can be secured by using Hash encryption (one way encryption).
Right that won´t work.
-
I guess it is your application which tries to communicate with the SMTP server. Hence the application must be able to retireve the clear text password when connecting to the server. Consequently, you cannot hash the password, but you must encrypt it. This also adds the question of how to store the key and the salt value. Next question is: who configures your application? Is it the "user" who enters his personal SMTP credentials or is it an administrator of the user's company who does so (and applies the same configuration to all installations of the application in the company)? Depending on the answer, you may use a user-specific settings file, a program specific settings file, the *.exe.config file, store data in a database, etc... Also note that the .exe.config file contains a connectionStrings section, which can be "automatically" encrypted and also used for this purpose.
Hello Bernhard, thank you for your reply! The SMTP credentials are configured by an Administrator and not by the end user, so the SMTP is a global SMTP. Ok, and in case of an ASP.NET application, this would be the web.config, wouldn´t it be? To secure the configuration section would this be the appropriate way?
greetings Nico
-
Hello Bernhard, thank you for your reply! The SMTP credentials are configured by an Administrator and not by the end user, so the SMTP is a global SMTP. Ok, and in case of an ASP.NET application, this would be the web.config, wouldn´t it be? To secure the configuration section would this be the appropriate way?
greetings Nico
You identified the right section for web.config. I'd suggest to enter the credentials and do the protection during the deployment of the application.
-
Hello folks, I want to store login credentials for a SMTP server which should be stored encrypted. In your opinion: Where should I store the credentials? How they should be secured? Why do you think should I use your suggestion? greetings Nico
-
Use the System.Security.Cryptography.ProtectedData class. It's designed for exactly this task.
Thank you for your reply, but isn´t this class´ purpose only for encrypting and decrypting data with the dapi mechanism?
-
Thank you for your reply, but isn´t this class´ purpose only for encrypting and decrypting data with the dapi mechanism?
-
Use the System.Security.Cryptography.ProtectedData class. It's designed for exactly this task.