xml password storage

[^MisterJingo^]

Hi all,

I know storing passwords in an xml document is a pretty bad idea, but
what are your thoughts on storing the passwords in an xml file on a
secure server where I am the only person with access rights to the
directory it is in? Would such a thing be ok? The app simply pulls db
connection info from an xml file and then makes modifications to the
data in the db periodically. It will be sat on a live server outside of
the web root, so unless someone hacks the server, it should be
inaccessible. Also, the db account it uses has the minimum access
rights to needed.

 

[Nicholas Paldino [.NET/C# MVP]]

You say "unless someone hacks the server, it should be inaccessible".

Because, you know, I have ^never^ heard of a web server being hacked.

It's a bad idea. Don't do it. If anything use the Data Protection API
that is offered in Windows to store this information. You can find
information on using DPAPI in the following blog entry:

http://blogs.msdn.com/shawnfa/archive/2004/05/05/126825.aspx

Hope this helps.

 

[^MisterJingo^]

You say "unless someone hacks the server, it should be inaccessible".

Because, you know, I have ^never^ heard of a web server being hacked.

It's a bad idea. Don't do it. If anything use the Data Protection API
that is offered in Windows to store this information. You can find
information on using DPAPI in the following blog entry:

http://blogs.msdn.com/shawnfa/archive/2004/05/05/126825.aspx

Hope this helps.

Thanks Nicholas,

I'll take a look at the link. The reason I said this is, on most
servers each web application stores its connectionstrings in the
web.config file, so if the server got hacked, most passwords would be
availible anyway (not that this is a good thing!).