Let us continue on with the series of common security mistakes in web development.
Passwords, or leaving them unencrypted on publically accessible servers. This is a very common mistake that a lot of new and seasoned programmers alike make.
Even though the web.config is not served by IIS, what would happen if a new virus/undiscovered bug comes along and changes this. To encrypt your web.config is quite simple and can be done via the .NET Framework. I have explained how to do this is a previous post.
Added to this, is that passwords stored in the databases should also be encrypted and not be able to be decrypted. You can do this using the SHA1 encryption which is in the System.Security.Cryptography. You can compare the encrypted input with the information stored in the database.
You shouldn’t write your own crypto protocols and also you should keep up to date with the protocols as they go out of date.
If you fancy some interesting(!) reading take a look on the Google Code Search tool to find places where people haven’t encrypted their connection strings. Sample search here