APP134: Database Password Protection in Storage

Does the application protect/encrypt database connection strings (i.e., passwords) in local storage?

Guidance: Database connection strings contain authentication data and, therefore, must be encrypted in storage. Encrypted connection strings and encryption keys must be protected. The function of decrypting connection strings should not be a standalone utility to prevent the connection strings from being decrypted and displayed in the clear. Instead, it should be embedded into or fully integrated within the application.

  • JE

    As recommend by Microsoft (Protecting Connection Information - Microsoft Docs), connection strings should use Integrated Security. By selecting this option, there is no need to specify, save or transmit database passwords. The following is an example of a connection string using Integrated Security::

    Provider=SQLOLEDB.1;Integrated Security=SSPI;Persist Security Info=False;
    Initial Catalog=QuickView;Data Source=SRV01

    Please note that for the above connection string:

    • There is no SQL server user Id or password to be saved or transmitted.
    • The Data Source parameter is the name of the SQL Server to which the application server will connect;
    • Save the connection string to the QuickView.udl file in the program directory on the server.

    Additional references: Databases

Please Sign In to submit new tickets or to reply to existing ones.

Ticket ID



January 21, 2021 05:48 PM