Hashing Impersonation Password in Web.Config

Is there any way to provide a hash of the password used in web.config:

<identity impersonate="true" userName="auser" password="apassword" />
I'd prefer not to store clear text passwords in my web.config...maybe there is a way to do it using an MD5 or SHA hash?

Mark A. Richman
11/24/2004 1:43:09 PM
asp.net.security 27051 articles. 1 followers. Follow

3 Replies

Similar Articles

[PageSpeed] 30

Have a look at the following handy tool:

11/24/2004 3:36:04 PM
This does not appear to be compatible with values for

unless I'm missing something.
- Mark
Mark A. Richman
11/24/2004 3:53:20 PM
You can also use DPAPI.  Carl Franklin has a good DPAPI helper library at http://franklins.net/dotnet/.

Additionally, for extra security, you can use the ASPNET_setreg.exe tool to store the ID and PW in the registry. This is native to .NET and works well.
There's more information about both of these in the "Building Secure ASP.NET Applications" pattern at http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/html/secnetlpMSDN.asp.
If my post is your answer, please mark it as the answer. It will bring good karma.

Crystal Alliance
My Blog
Florist Blogs
11/24/2004 4:10:31 PM

Similar Artilces:

Web.config password security
Hello all, I am running an Asp.net application and i have used web.config instead of a database tableto to save user names and passwordes since i don't have many users. Now how can i prevent unautherised users to see this file. Means is there any way to code the password in the web.config file. <configuration> <system.web> <authentication mode="Forms"> <forms> <credentials passwordFormat="Clear"> <user name="user1" password="123" /> ...

web.config: How do you encrypt a password for impersonate?
I want to encrypt the impersonation password. in my web.config I want to replace this: <identity impersonate="true" userName="testuser" password="guest" /> with something like this: <identity impersonate="true" userName="testuser" password="35675E68F4B5AF7B995D9205AD0FC43842F16450" /> Thanks, Greg Here ya go! http://support.microsoft.com/default.aspx?scid=kb;EN-US;329290 Cheers GregorGregor SuttieMCSD, MCAD, MCSD.Net...

After migration from .Net 1.1 to .Net 3.5 do I have to incorporate new web.config settings in old *.config file
Hi,I have successfully migrated web application from .Net 1.1 to .Net 3.5. Could you let me know whether I have to incorporate setting in new web.config (this new web.config file was generated automatically due to migration) into old *.config file?FYI: Old *.config file contains all application level settings required. So I will continue to use old.config file by removing new web.config file. Settings which are in new web.config file are:<configSections><sectionGroup name="system.web.extensions" type="System.Web.Configuration.SystemWebExtensionsSectionGroup,...

how can I secure the user & password of website database in web.config file?
Hi, I stored my dB connection string  in web.config file. Since it will be easily acces to it by opening the file, what is a good way to secure it?Thanks in advance. Sepid There are two ways The aspnet_regiis.exe command-line utility Encryption within developers application code  In second way i.e secure web.config programatically, check the below articles. http://www.beansoftware.com/ASP.NET-Tutorials/Encrypting-Connection-String.aspx http://www.codeproject.com/KB/aspnet/webconfig.aspx  to use the comman line utility to secure web.config check the last po...

.net 2.0 Security Web.Config problem (possible IIS issue?)
I have a website I developed using asp.net (vb) that has a protected content sections, users and roles.  The established roles are 'Admin', 'Customer', and 'Employee' The protected directories are the /admin, /employee, and /customer respectively.  User's assigned to the 'Admin' role should be granted access to all three sections.  User's with the 'Employee' role should only be granted access to the /employee section, and user's with the 'Customer' role should only be allowed to access the /customer directory.  ...

running 2 web.configs in the same website 1 in /web.config and one in /swf/web.config
Im having issues doing this. and when i remove the authentication from the swf/web.config it still doesnt seem to be applying to the child website at all. Whats the proper way to set a child website? Thanks!!  The lower most web.config overrides all previous settings. So if you remove the section from the /swf/web.config whatever settings you have in the web.config in the next higher level will have an effect on the content of the child folder.So instead of removing a section, try giving appropriate settings in the /swf/web.config....

How to code providerName, Integrated Security, UserID, Password, etc in web.config and SqlDataSource control
Just downloaded and installed the VS 2008 Express and created/tested some websites.   I have done several aspx websites using VS 2005 during the last 2 years.  Still I don't quite understand the details of coding the database connection and DataBing.  For example, what does 'providerName',and Integrated Security really mean?Why in the Web.config file these are providerName="System.Data.SqlClient" and Integrated Security=True?  Why in Default.aspxthere are both Integrated Security=True;and USER ID=WEB; Password=webwebweb1".  I know these may...

RSS and Machine.config/web.config security
I am trying to set up RSS feeds and also do some scraping, and have came to the conclusion that I need to set up the machine.config and web.config to allow access for it to work.I have access to the machine.config file, but I am not sure how to edit it to make the changes. The file has the following entry for trust mode: <location allowOverride="true"> <system.web> <securityPolicy> <trustLevel name="Full" policyFile="internal"/> <trustLevel name="High" policyFile="web_hightrust.config"/> <trustLevel name="Medium" policyFile="web_mediumtrust.config"/>...

Web Forms Security via web.config?
In classic ASP, if you wanted to restrict someone from a certain area on the website (say, a "client area"), you would activate a session flag once their login creditials had been verified, and challenge each visiter at each protected page for that session flag. I had heard that with ASP.NET, this has been greatly simplified through the web.config file, but wasn't offered too much support on the issue.  Does anyone know how it can be implemented simply and quickly via the web.config file?  Are there any simple descriptions online somewhere?  Ideally, I'd like to authorize the...

Web Crawlers Web.config and .Net Roles/Membership
 I have a subfolder in my asp.net 3.5 application that contains a Web.config file that only allows certain roles to access one of the pages. My question is whether or not web crawlers can index that page's content.http://www.geneangelo.com web crawlers crawl only on publicly accessible sites (as anonymous user)Patrick OliverosWeb Developer - Emerson Electric Asia, Ltd. - ROHQwebthinker.wordpress.com  Great, thanks a lot.http://www.geneangelo.com...

How do i set parameters for PASSWORD.....in web config...as i am overriding my Machine config
My web config is below How do i set parameters for PASSWORD.....in web config...as i am overriding my Machine config...such parameters as(enablePasswordRetrieval="false" enablePasswordReset="true" requiresQuestionAndAnswer="true" applicationName="/" requiresUniqueEmail="false" passwordFormat="Hashed" maxInvalidPasswordAttempts="5" minRequiredPasswordLength="7" minRequiredNonalphanumericCharacters="1" passwordAttemptWindow="10" passwordStrengthRegularExpression="&q...

.NET 2.0 encryption web.config/app.config options?
Situation: 13 servers containing both ASP .Net web sites and .NET apps. Servers are broken up in Developemnt, Test, and Production types.Issue: Need to encrypt all app.config and web.config files.Currently we are using .NET 1.1, so I had developed (test working, not yet deployed) a shared (GAC) utility that would be responsible for providing an interface to allow the encryption (DPAPI + Second Entropy) of information for the developer to manually place in each web.conf/app.config file during development. The backend of this utility was referenced by the *.config files in decrypting values on...

[PATCH lib/Net/Config.pm, MANIFEST, t/lib/Mock/Socket.pm, lib/Net/Config.t] Add Tests for Net::Config
Here's a test suite for Net::Config. In the process of writing this, I've fixed an apparent bug that prevented single values from becoming array references when necessary. I think it's right, but perhaps Graham should weigh in on this. In the process, with some advice from perl-qa, I've added a mock object so the test could control the output of Socket::inet_ntoa() and Socket::inet_aton(). t/lib/Mock/ seemed like as good a place as any. I'm happy to rework this patch if it personally offends anyone whose opinion matters. :) -- c --- lib/Net/~Config.pm S...

How to compare a hashed password with a salted hashed password?
I want to implement hashing in a ASP.NET web app. I have read several articles and other items but one thing I cannot seem to figure out is when using salt with the hashed password how can you can compare the user supplied password with their password in the database if it has salt on it?  For example, say my password is 'abc123' and then it gets hashed like this "AB232JDJ29328" using SHA-1.  Next, if I salt it by adding salt to the begining of it and it becomes "XXXXXAB232JDJ29328"  (X being the salt).  At this point it is stored in the ...

Web resources about - Hashing Impersonation Password in Web.Config - asp.net.security

Williams ready for Babe Ruth impersonation - YouTube
8/21/14: After making a promise to his team, Nationals manager Matt Williams talks about when he will do his Babe Ruth impersonation Check out ...

Judd Apatow's scathing Bill Cosby impersonation on Jimmy Fallon's Tonight Show
Apatow has been a steadfast critic of Bill Cosby over the past several months, torching Cosby on Twitter and in interviews.

Graeme Swann gives it to former teammate Kevin Pietersen with South African impersonation
It is no secret that English cricketers Graeme Swann and Kevin Pietersen&nbsp;had their differences during their playing career, but the impersonation ...

Robin Williams impersonations put Vine star Jamie Costa in the frame
Jamie Costa is an internet star with a gift for mimickry. Could his showreel of Robin Williams impersonations catapult him to something bigger? ...

Soldier impersonations 'all too common,' group says
A Canadian group that looks into cases of military impersonation says it is investigating about 135 cases similar to the story involving a Quebec ...

Two Men Arrested In Police Impersonation Case, Deputies Say
BENTON COUNTY (KFSM) - Two men were arrested in a police impersonation case, according to a news release. On Friday (Feb. 13) at 10:03 p.m., ...

Matt Pitt indicted on officer impersonation charge in Jefferson - Alabamas13.com WVTM-TV Birmingham ...
A Jefferson County grand jury has indicted youth evangelist Matt Pitt a charge of impersonating a police officer.

Conan O'Brien and David Letterman Do Dueling Jay Leno Impersonations (Video)
O&#39;Brien on Leno: &quot;There are very few ways in which he and I relate &hellip; we&#39;re not interested in the same things&quot;

The Poetry Of Impersonation
Stephen Burt enumerates the many ways poets can show up in their work: It seems to me that poetry in general lets you create a voice that is ...

YouTube fighting spam and impersonations in update to Google+ comments
It’s no secret: YouTube comments can be offensive. In an attempt to corral that behavior, Google introduced Google+ commenting for YouTube, effectively ...

Resources last updated: 12/18/2015 5:49:05 AM