Store Passwords Securely

Feature Companion

LANGUAGES:All .NET Languages

ASP.NET VERSIONS:1.1

Store Passwords Securely

Use an encrypted password stored in the registry insteadof plain text stored in a configuration file.

By Dino Esposito

In TakeControl of the ASPNET Account, I took a close look at ASP.NET's securitylayers. Starting with the .NET Framework Service Pack 3, and of course inASP.NET 1.1, you can use an encrypted password stored in the registry insteadof plain text stored in a configuration file. This feature is supported by theprocessModel, identity, and sessionState sections of the registry.

The idea is that you use an ad-hoc tool -aspnet_setreg.exe - to encrypt the credentials and store them in the registry.The tool creates registry keys under the HKEY_LOCAL_MACHINE subtree and therestores an encrypted username and password. By default, only administrators cancreate keys under this hive. For example, here's what you need to do to createencrypted registry keys for the username and password:

aspnet_setreg.exe

-k:"SoftwareProtected ASP.NETProcessModel"

-u:userID

-p:password

Notice that the aspnet_setreg.exe tool always creates anextra key named ASPNET_SETREG and, below it, the attributes userName andPassword contain encrypted data. You can change key and attribute names in theregistry as needed to camouflage them better.

Microsoft made the aspnet_setreg.exe tool available aspart of a "hot fix" as described in Microsoft Knowledge Base article Q329290,"Use the ASP.NET Utility to Encrypt Credentials and Session State ConnectionStrings" (http://support.microsoft.com/default.aspx?scid=kb;en-us;329290).The recommended way to get it, though, is through Service Pack 3 or ASP.NET1.1. Getting the aspnet_setreg.exe tool alone is not sufficient because updatesto aspnet_isapi.dll also are needed.

Once you set the registry, you enter some changes into theinvolved configuration files (machine.config or web.config) and make thecritical elements point to the registry for username and/or password. Youassign the userName and password attributes as shown below. The sample textrefers to the identity section.  

registry:HKLMSOFTWAREProtectedASP.NETidentityASPNET_SETREG,userName

registry:HKLMSOFTWAREProtectedASP.NETidentityASPNET_SETREG,password

Basically, you make the attribute point to the registrypath where the encrypted credentials are stored. Notice that you must mentionthe hive explicitly using the HKLM abbreviation. (HKLM stands forHKEY_LOCAL_MACHINE.) If you modified the default registry path, indicate thenew one in the .config files.

Dino Esposito is a trainer and consultant whospecializes in ASP.NET, ADO.NET, and XML. Author of Building Web Solutions with ASP.NET andADO.NET and ProgrammingMicrosoft ASP.NET, both from Microsoft Press, Dino also is a co-founderof http://www.VB2TheMax.com.E-mail him at mailto:[email protected].