Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Programming > ASP .Net > Passwords in web.config... is this secure?

Reply
Thread Tools

Passwords in web.config... is this secure?

 
 
John Buchmann
Guest
Posts: n/a
 
      12-15-2003
In my web.config, I have a section that has a name and
password:

<credentials passwordFormat="Clear">
<user name="aaa" password="bbb" />
</credentials>

Is this secure? What is to stop someone from opening up
this file (it's a simple text file), getting the
sensitive info, and then breaking into my site?

If this is NOT secure, what is there I can do to make it
secure?

Thanks!
John
 
Reply With Quote
 
 
 
 
Munsifali Rashid
Guest
Posts: n/a
 
      12-15-2003
When the .NET framework is installed, it modifies IIS to explicitly deny
public access to .config files. However, it's still not very secure... You
can encrypt the passwords using MD5 or SHA1, which will add a little more
security.

Eg.

<credentials passwordFormat="MD5">
<user name="username" password="hashedpasswordhere"/>
</credentials>

You can hash passwords using this online utility -
http://support.tigress-uk.com/technical/HashPwd.aspx, or it's quite easy to
create your own, if you prefer.

Hope this helps,

Mun




"John Buchmann" <(E-Mail Removed)> wrote in message
news:07d301c3c320$ae3f0000$(E-Mail Removed)...
> In my web.config, I have a section that has a name and
> password:
>
> <credentials passwordFormat="Clear">
> <user name="aaa" password="bbb" />
> </credentials>
>
> Is this secure? What is to stop someone from opening up
> this file (it's a simple text file), getting the
> sensitive info, and then breaking into my site?
>
> If this is NOT secure, what is there I can do to make it
> secure?
>
> Thanks!
> John



 
Reply With Quote
 
 
 
 
John Buchmann
Guest
Posts: n/a
 
      12-15-2003
Mun,

Thanks for your reply and advice.

My problem is that if someone can log into the server via
an FTP program (I use WS_FTP), then the web.config is
easily viewable with no restrictions.

The encryption schemes you mentioned are to deny people
access via a web browser? I will look into hashed
passwords, but if someone gets into my site via an FTP
program, does this encryption do anything?

Thanks!
John


>-----Original Message-----
>When the .NET framework is installed, it modifies IIS to

explicitly deny
>public access to .config files. However, it's still not

very secure... You
>can encrypt the passwords using MD5 or SHA1, which will

add a little more
>security.
>
>Eg.
>
><credentials passwordFormat="MD5">
> <user name="username" password="hashedpasswordhere"/>
></credentials>
>
>You can hash passwords using this online utility -
>http://support.tigress-uk.com/technical/HashPwd.aspx, or

it's quite easy to
>create your own, if you prefer.
>
>Hope this helps,
>
>Mun
>
>
>
>
>"John Buchmann" <(E-Mail Removed)> wrote in message
>news:07d301c3c320$ae3f0000$(E-Mail Removed)...
>> In my web.config, I have a section that has a name and
>> password:
>>
>> <credentials passwordFormat="Clear">
>> <user name="aaa" password="bbb" />
>> </credentials>
>>
>> Is this secure? What is to stop someone from opening

up
>> this file (it's a simple text file), getting the
>> sensitive info, and then breaking into my site?
>>
>> If this is NOT secure, what is there I can do to make

it
>> secure?
>>
>> Thanks!
>> John

>
>
>.
>

 
Reply With Quote
 
Munsifali Rashid
Guest
Posts: n/a
 
      12-15-2003
John,

What you could possibly do is only grant the ASPNET account access the
web.config, and explicitly deny all other accounts, so that no other user
accounts can access it other than the ASPNET account. Assuming you're using
the standard FTP Server as part of IIS, users will have to login using a
Windows account. The account they login with will not have access to
web.config, and therefore they will not be able to read the file and see the
user security details.

You might want to consider moving user details into a database. In this
case, the web.config file wont contain any user credentials. However, this
can turn into a catch-22, as the web.config file will then (probably)
contain the database connection string, which in turn, will give the
hacker-to-be access to the database, and user credentials table. You could
hard-code the database string into the login class (code-behind file), but
this will make maintenance more awkward. Another option would be to encrypt
the database string, but this situation would no different from encrypting
the user passwords directly...

The encryption schemes mentioned are to authenticate people who try and
access web content which is being secured using the built-in Forms
Authentication in ASP.NET. As far as I know, It won't have any affect on
users who access your site using FTP. The only way to regulate FTP users
would be through the FTP Server software itself.

Hope this helps,

Mun





"John Buchmann" <(E-Mail Removed)> wrote in message
news:069201c3c329$c774c560$(E-Mail Removed)...
> Mun,
>
> Thanks for your reply and advice.
>
> My problem is that if someone can log into the server via
> an FTP program (I use WS_FTP), then the web.config is
> easily viewable with no restrictions.
>
> The encryption schemes you mentioned are to deny people
> access via a web browser? I will look into hashed
> passwords, but if someone gets into my site via an FTP
> program, does this encryption do anything?
>
> Thanks!
> John



 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Wireless LAN with PEAP and Passwords Aironet 1200 AdminKen Wireless Networking 3 09-04-2006 04:03 AM
passwords =?Utf-8?B?bWlrZQ==?= Wireless Networking 1 10-11-2005 03:52 PM
Change password with 802.1x WinXP and cached Passwords. Michael King Wireless Networking 0 04-25-2005 02:03 PM
Migrate Saved Passwords? Christian Dornes Firefox 3 12-04-2003 07:02 PM
TB 0.2 - Not remember passwords Axl Firefox 6 09-28-2003 11:38 PM



Advertisments