[OWASP-Security101] Storing of password in application config file

Erki Männiste Erki.Manniste at webmedia.ee
Wed Apr 4 08:36:01 UTC 2012


I was just reading about this here :
http://www.troyhunt.com/2010/12/owasp-top-10-for-net-developers-part-6.html 
and
 http://www.troyhunt.com/2011/06/owasp-top-10-for-net-developers-part-7.html 
 

erki


-----Original Message-----
From: security101-bounces at lists.owasp.org [mailto:security101-bounces at lists.owasp.org] On Behalf Of Wei Chea Ang
Sent: Tuesday, April 03, 2012 4:58 PM
To: security101 at lists.owasp.org
Subject: [OWASP-Security101] Storing of password in application config file

Hi all,

What is the recommended way of storing password in an application config file?

Is it recommended to store the hash value or the encrypted value of the password?

Will application be vulnerable to pass the hash attack if application authenticate by comparing the hash value?

Thank you.


--
Best Regards,
Wei Chea
_______________________________________________
Security101 mailing list
Security101 at lists.owasp.org
https://lists.owasp.org/mailman/listinfo/security101
List Run By OWASP
List Admin: Michael.Coates at owasp.org


More information about the Security101 mailing list