I am using ASP.NET MVC 3 membership for my site with default settings. Thus, the user password for the user is stored securely.
My service requires the user to enter a username / password for other web services that they use. I access these services from my service. If I save user passwords for users, I need to make sure that these usernames / passwords are stored securely, so that if someone breaks into my server, they will not be displayed.
I understand the general concepts of how this can be done (encrypt the username / pw using the ASP.NET membership hash that they provided as the key). But I do not know the specific APIs or the correct templates.
I also think that in principle this cannot be done, because if someone breaks into my service, they can just use the hash to decrypt the passwords. I am right about that.
Assuming I'm wrong and you can do what I want, suppose my model contains something like this:
public class MSExchangeSettings { [Required] [DataType(DataType.EmailAddress)] [Display(Name = "Email address for your Exchange account")] public string EmailAddress { get; set; } [Required] [DataType(DataType.Password)] [Display(Name = "Password for your Exchange account")] public string Password { get; set; } ... }
Can someone provide an example of how to do this correctly?
If this is not possible, I will have to resort to the user's request to PW every time, which I want to avoid. Of course, for services I use OpenID or OAuth support. I have other alternatives, but for this specific example (Exchange) I need username / pw.
source share