C# Winforms application secure connection to Access DB

Question

I have a C# 2010 Winforms application that uses OleDb to connect to an Access 2010 database which is password protected. This is not an online application!

I currently store the password in plain text in the connection string [I know this is horribly insecure] which is obfuscated using Eazfuscator.NET . I am interested in a way to securely store the password in such a way that it cannot be obtained by decompiling or any other practical methods.

I am aware that there are methods to do this for ASP.NET applications by encrypting the connection string in app/web.config but it would not work for me since my application is a desktop application.

So far I didn't find any method to achieve this.

Here is what I have thought of doing:

Request a password from the user, since there will be only one user who will have access to the database. Get a hash (SHA1 / SHA512) for the input password, select a certain number of characters from the hash, salt it, add it to the connection string and try to connect.

Obviously, if the user would forget the password, there would be absolutely no way to gain access to the database other than by using brute force.

Is there any way to store the password used in the connection string in the program so that it cannot be obtained by any practical means?

Answer 1

You should generate a long random secure password for the database, then encrypt it using the ProtectedData class.
This will encrypt it using the user's Windows logon password, so that it will be impractical to read it unless the user is logged on.

Answer 2

You could use a DSN and store the username and password there, rather than in the app, but then any app that knows the DSN can use the database and the credentials are available in the registry in plain text.

What are you trying to defend against, the app getting into the wild? The database? An unauthorised user sitting at the machine? The password has to live somewhere...