securing passwords in code

Even with https enabled, you can write a password to the event log in code-behind. Any way to keep that password encrypted in code while you're checking it against a data store?

(using Login control)

(couldn't add comment to Andrew's answer, so I'm putting it here)

NTLM uses the username/password of the machine the user is logged into right? For this, I was thinking using ActiveDirectory on the server as the data store. It would have a diferrent un/pw than what the user is currently signed in to their machine as. 开发者_JS百科

Check the SecureString class.

Represents text that should be kept confidential. The text is encrypted for privacy when being used, and deleted from computer memory when no longer needed.

If you're sending a plain-text password in a form submission it is always available in the HttpContext object. It can't be removed or encrypted during the life of the page. The capability to store it is available the entire time until the finished page response is pushed out to the client. Even beyond that, the password is available in plaintext in memory and accessible through a hex editor (in RAM).

If you're concerned about password's being available in these fashions, you would be better served by enabling the NTLM authentication through Windows Integrated authentication which is hashed from bang to bullets.

If you are concerned about the plaintext password being in memory simply encrypt it as soon as possible in your workflow. Also make sure that you never log the plaintext password to any event logs either.