locked
Passwords within the web.config? RRS feed

  • Question

  • User1885505842 posted
    Hey guys,

    I have a customer requirement to somehow stop the use of clear text passwords within the web.config. There are three passwords to database servers as well as a service account password for forms authentication.

    During my preliminary research it seems the recommended method is to encrypt the web.config or to move those passwords to another configuration file which is encrypted. There are several articles on the web outling how to do this.

    What other recommended methods are you guys aware of without significant architectural changes.
    Friday, November 8, 2019 10:41 PM

All replies

  • User283571144 posted

    Hi steppinthrax,

    In my opinion, using the aspnet_regiis.exe tool to encrypt the web.config connection string is the best way to achieve your requirement.  It will not modify the your significant architectural. 

    Microsoft also provide a article to talk about the "Protecting Connection Information".

    It recommend to encrypt the Configuration Files.

    Article link: https://docs.microsoft.com/en-us/dotnet/framework/data/adonet/protecting-connection-information 

    About how to encrypt the config, you could refer to this article.

    https://docs.microsoft.com/en-us/dotnet/framework/data/adonet/connection-strings-and-configuration-files     

    Best Regards,

    Brando

    Monday, November 11, 2019 7:07 AM