I'm building a small MVC app and I have a question in my head that sounds like a total noob question, but I have to ask it anyway
I have to store the users mailserver username and password, and I'm debating whether I should create a settings table in my database or put the info in the web.config.
Is one more secure than the other? If so, which one?
I know I can encrypt the web.config, but I also know modifying it from the app causes an app restart, so allowing the user to configure their own settings could be problematic if I want to write to the config.Answer1:
If an attacker can access your web.config file, he is most likely able to access the database as well. Storing credentials in plaintext, regardless of location, is problematic.