4.1 Security Considerations for Implementers

A connection string can contain credential information in clear text. It is recommended that .NET Framework applications take special care when accessing credential information; it is advised that, whenever possible, .NET Framework applications avoid passing the credential information in the connection string.<21> Instead, it is recommended that applications use Authentication=Active Directory Integrated or Integrated Security=sspi in the SqlClient Connection String structure, or use SqlClient APIs to specify credential information. For more information, see [MS-NRPC] section 2.2.1.3.4