I have a resource file called AppSecrets.resx, and the bit of code below to check the login credentials of the "super duper admin user". This admin user is distinct from normal admin users, as it is hard coded into the app. It works, but could someone sniff out the contents of the .resx-file on a live website?

Or is it just as secure to just leave the password as plain text in the MVC controller .cs-file?

string superduperadminpassword = AppSecrets.superduperadminpassword;
if (login.UserName == "admin" && login.Password == superduperadminpassword)
{
    // Do some stuff ...
    return RedirectToLocal(login.ReturnUrl);
}
有帮助吗?

解决方案

It all depends on how you configure your server. The slightest mistake could give anyone the ability to read files as text. Resources and .cs files included.

Storing users' passwords plain text is always a bad idea. You should use existing algorithms which would create, for a given password, a salted hash. If an intruder gets (read-only) access to all your source code and the hashes, he still won't be able to find the password.

  • Never store plain text passwords.
  • Never invent your own cryptographic functions: use the ones which are specifically created for the given purpose.
  • Don't rely on the fact that your source code is not public. On other words, publishing your source code shouldn't compromise the security of your system.
  • Ensure all your code related to security aspects is pair-reviewed.
  • In doubt, ask for help on security.SE.
许可以下: CC-BY-SA归因
scroll top