How to securely store database connection details

Question

In an application that needs to open a database connection, the username/password details must be sent to the database. What is the most secure way of storing, and using, th

Answer 1

Excellent question.
It's an issue with which we've grappled - and come up with a variety of approaches.

The first answer is to go with 1800 INFORMATION's suggestion:

put it in an area only readable by the userid running your application.

I don't think you'll get a better all-round solution than this.

Other methods we've toyed with (and rejected):

• Save it in an encrypted file
  • this only works if the attacker can't get to your code to see how the encryption works, so not so good most of the time.
• Save it in the database and require a human to log on to start the application
  • this works, as long as you are in a position to have a real person start up the application all the time
• Rely on built-in security devices, such as those in .NET (see rwwilden's answer).
  • this is a good solution if you are, e.g. a Microsoft shop.