Hello,

I am developing a site under 5.14.  While making minor modifications to the web.config, I was very surprised to see in plain text a connection stream that lists the username and password for the admin log in. I would think this would be a huge security risk.  Is there an easy way for a non-programmer to encrypt the connection strings? 

I found two modules, but neither has been tested on 5.1.  The two modules are:

Shancer Encrypt Web.config 1.0
Encrypt Connection Strings by Darrell Hardy

Thank you!

I heard Darrell speak on this issue a couple of years ago. If you write to him, he may be willing to share his Powerpoint file with you, or give you additional information. Darrell's module may the the best approach, but it's not clear that it's compatible with version 5.x. I'd ask.

The encryption part is a standard part of ASP.NET, so I'm sure that there is additional information available on the MS website, but probably not in a way that is accessible to a non-programmer.

On the other hand, I've never see this discussed as a major security hole, as most sites don't grant access to the root directory. You could ask about this by writing to the security team at DotNetNuke.

Thank you Joseph,

Darrell has been amazing. I sent him an email and had a reply within 12 hours. He even went so far as to validate his code on 5.1.4 and send it to me along with instructions. Several people have echoed your comments that this is not a security hole. I will double check with my ISP that access to the root directory is blocked. This topic is a bit over my head and I have a few reservations about what it may do to some 3rd party modules. I was just so surprised to see my login info visible in plain text. For now I will probably leave this alone.

Great!