Does the password in the ConnectionString travel encrypted?

S

seguso

Hello,

I have a very simple question I could find nothing about.

When, in a .NET application, I connect to a database with a
ConnectionString like "database=foo; server=220.40.231.2; uid = root;
persist security info= false; pwd=blabla", does my root password
travel in clear-text?

AFAIU, the DB server should first send me its public key, with which I
would encrypt my root passord. Does this really happen under the hood,
or is my password travelling in clear?

I did notice the "encrypt=true" option in the connection string, but
it does not seem appropriate, because I don't need to encrypt all
communication with the DB server -- just the password.

Thank you very much for any reply.

(I am actually using mysql with MySql Connector/Net, but I suppose
this makes no difference. Or does it? )

Maurizio
 
W

William Vaughn

AFAIK with SSPI authentication, the Windows password traverses the wire to
the Domain controller if you log on to a domain--I don't know if it's
encrypted on the wire (I don't think it is).

With SQL Server (or other server-authenticated protocols) the password must
also traverse the network--the only way to prevent this is to use an
encrypted connection (and encrypt the entire TDS stream).

As I discuss in the book, another approach is to make the credentials less
important. While a given connection string password can gain access to a
data source, the objects exposed through those credentials is very
limited--focused on specific stored procedures or views. Expanded access can
be accomplished by other application-specific means.

hth

--
____________________________________
William (Bill) Vaughn
Author, Mentor, Consultant, Dad, Grandpa
Microsoft MVP
INETA Speaker
www.betav.com
www.betav.com/blog/billva
Please reply only to the newsgroup so that others can benefit.
This posting is provided "AS IS" with no warranties, and confers no rights.
__________________________________
Visit www.hitchhikerguides.net to get more information on my latest book:
Hitchhiker's Guide to Visual Studio and SQL Server (7th Edition)
and Hitchhiker's Guide to SQL Server 2005 Compact Edition (EBook)
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

ConnectionString without DSN not working 0
VBA Excel - Select a value from one cell in Excel to update a SQL table 1
ConnectionString using DSN not working 12
Connectionstring problem 5
trying to open connection through OLEDB for MYSQL 1
Database Access in ASP.NET 1
SQL Autentification: Is the password encrypted when is is being send to the server for validation? 1
mixed mode (SQL Server) and password in connection string 1

Top