Skip navigation
Menu
Software Development>Development Techniques and Management

Store Passwords Securely

Use an encrypted password stored in the registry instead of plain text stored in a configuration file.

Feature Companion

LANGUAGES: All .NET Languages

ASP.NET VERSIONS: 1.1

 

Store Passwords Securely

Use an encrypted password stored in the registry instead of plain text stored in a configuration file.

 

By Dino Esposito

 

In Take Control of the ASPNET Account, I took a close look at ASP.NET's security layers. Starting with the .NET Framework Service Pack 3, and of course in ASP.NET 1.1, you can use an encrypted password stored in the registry instead of plain text stored in a configuration file. This feature is supported by the processModel, identity, and sessionState sections of the registry.

 

The idea is that you use an ad-hoc tool - aspnet_setreg.exe - to encrypt the credentials and store them in the registry. The tool creates registry keys under the HKEY_LOCAL_MACHINE subtree and there stores an encrypted username and password. By default, only administrators can create keys under this hive. For example, here's what you need to do to create encrypted registry keys for the username and password:

 

aspnet_setreg.exe

-k:"Software\Protected ASP.NET\ProcessModel"

-u:userID

-p:password

 

Notice that the aspnet_setreg.exe tool always creates an extra key named ASPNET_SETREG and, below it, the attributes userName and Password contain encrypted data. You can change key and attribute names in the registry as needed to camouflage them better.

 

Microsoft made the aspnet_setreg.exe tool available as part of a "hot fix" as described in Microsoft Knowledge Base article Q329290, "Use the ASP.NET Utility to Encrypt Credentials and Session State Connection Strings" (http://support.microsoft.com/default.aspx?scid=kb;en-us;329290). The recommended way to get it, though, is through Service Pack 3 or ASP.NET 1.1. Getting the aspnet_setreg.exe tool alone is not sufficient because updates to aspnet_isapi.dll also are needed.

 

Once you set the registry, you enter some changes into the involved configuration files (machine.config or web.config) and make the critical elements point to the registry for username and/or password. You assign the userName and password attributes as shown below. The sample text refers to the identity section.  

 

registry:HKLM\SOFTWARE\Protected ASP.NET\identity\ASPNET_SETREG,userName

registry:HKLM\SOFTWARE\Protected ASP.NET\identity\ASPNET_SETREG,password

 

Basically, you make the attribute point to the registry path where the encrypted credentials are stored. Notice that you must mention the hive explicitly using the HKLM abbreviation. (HKLM stands for HKEY_LOCAL_MACHINE.) If you modified the default registry path, indicate the new one in the .config files.

 

Dino Esposito is a trainer and consultant who specializes in ASP.NET, ADO.NET, and XML. Author of Building Web Solutions with ASP.NET and ADO.NET and Programming Microsoft ASP.NET, both from Microsoft Press, Dino also is a co-founder of http://www.VB2TheMax.com. E-mail him at mailto:[email protected].

 

 

 

 

Hide comments

More information about text formats

Comments

  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
Publish
Recommended Reading
Microsoft's GitHub offices
Microsoft’s AI Copilot Is Starting to Automate the Coding Industry
Apr 17, 2024
digital world map on warehouse background
How To Build an International Shipping Software System
Jan 30, 2024
artificial intelligence concept art
Top 10 AI Stories of 2023
Dec 19, 2023
Abstract technology concept lighting effect on dark blue background
Top 10 Stories About Compute Engines, Linux in 2023
Dec 18, 2023