Blog Post

Encrypt usernames and passwords stored in files

,

I was looking at a product recently and came across a rather unpleasant surprise: the install instructions specified that I put the database connection in plaintext in web.config. I’ll explore this particular case and why it’s particularly egregious, but from a security perspective, this shouldn’t happen anymore, regardless of application. We have the tools and the processing power where encrypting data of this sort should be a no-brainer.

The Specific Case

When I say web.config, that should reveal that the application is an ASP.NET web application. It is. And modern ASP.NET apps (anything ASP.NET 2.0+) have the ability to store encrypted keys. The keys are stored encrypted in the registry and the way to get the keys are stored in the web.config file. Therefore, there is no need for anything sensitive to be in plaintext.

The way to do this is with the tool aspnet_regiis.exe. Here are the instructions on MSDN for how to use it in Microsoft.NET Framework 4.0. You can hit the drop down for other versions which will take you back all the way to SQL Server 2005 and 2.0. This feature has been around for about 10 years, as this old document indicates. Since it’s been around that long, there’s no good reason not to do this as a standard course of action for a web application.

But What If the Attacker Gets Admin Rights?

This isn’t to say that you have to use this method. It’s free. It works. However, the point is that credentials should not be left in plaintext. Yes, an attacker who gets administrative access to a server will likely have the resources to be able to decrypt and eventually get the information. However, this is a relatively easy step that makes things harder. It’s a low cost defense. Therefore, it should be implemented.

It Also Means the Username / Password Doesn’t Show Up via Searches

The other thing that encrypting the username and password or even the whole connection string is it means searches of files for this kind of information fail. It’s a trivial thing to run a search and see if you can get some additional nuggets like a username/password combination. Therefore, most smart attackers do these kinds of things. When I pen test a system, I certainly do. Encrypt and the search won’t pick up the information. That’s a good enough reason in and of itself.

Rate

You rated this post out of 5. Change rating

Share

Share

Rate

You rated this post out of 5. Change rating

Related content

Technical Article

Database Mirroring FAQ: Can a 2008 SQL instance be used as the witness for a 2005 database mirroring setup?

Question: Can a 2008 SQL instance be used as the witness for a 2005 database mirroring setup? This question was sent to me via email. My reply follows. Can a 2008 SQL instance be used as the witness for a 2005 database mirroring setup? Databases to be mirrored are currently running on 2005 SQL instances but will be upgraded to 2008 SQL in the near future.

You rated this post out of 5. Change rating

2009-02-23

1,567 reads

Technical Article

Networking - Part 4

You may want to read Part 1 , Part 2 , and Part 3 before continuing. This time around I'd like to talk about social networking. We'll start with social networking. Facebook, MySpace, and Twitter are all good examples of using technology to let...

You rated this post out of 5. Change rating

2009-02-17

1,530 reads

Technical Article

Speaking at Community Events - More Thoughts

Last week I posted Speaking at Community Events - Time to Raise the Bar?, a first cut at talking about to what degree we should require experience for speakers at events like SQLSaturday as well as when it might be appropriate to add additional focus/limitations on the presentations that are accepted. I've got a few more thoughts on the topic this week, and I look forward to your comments.

You rated this post out of 5. Change rating

2009-02-13

360 reads