To demonstrate authentication and authorization, I stored the user credentials in the
Web.config file. This is acceptable for small and simple applications where the list of users is unlikely to change over time, but there are two significant limitations to this approach. The first problem is that anyone who can read the
Web.config file might be able to figure out the passwords, even when they are stored using cryptographic hashes rather than plain text (if you don’t believe this, create some hash codes for typical passwords and then search Google for each hash code; it won’t take much effort to figure out at least one of the passwords).
The second problem is administration. Putting the credentials in the ...