Monday, May 09, 2005

Security Session

How to keep secrets in

suggestions are to keep passwords in one way hash using the primary key of user record as the salt.

use symmetric keys to store info like connection strings and credit card numbers. the dpapi is used to help store/hide keys, but if the machine crashes you will not be able to retrieve data. so you could use dpapi for data that you can recreate (like connection strings), but not for data that you can't recreate (like credit cards).

hiding the key for symmetric encryption is ultimately a network security issue. you can keep it in the registry, in a file, in the code (probably not the best place :), etc. where ever you put it be sure that only user has access, and that it is out of the web root. on a web farm it will be easier to deploy it in a file.