The customer is not paying a dime for this change. They are cheap. And therefore they will get exactly what they ask for: displaying the password in the XML file as an encrypted string.

>>Again, I emphasize, I don't want to change the application in the way it reads the XML file. The only thing I willing to do, if possible, is to call some internal Windows function to decrypt the password.
>
>I have read the above. Can your app work WITHOUT connection to SQL server / in some offline mode ?
>If the answer is NO, then ANY security info should NOT be on the client, but live somewhat safer on the server.
>The only discussion should revolve around how much they should pay for heighteed security / who is responsible:
>securing an XML file on the server via permissions/encryption can be handled by their IT or by you (for instance as memo field served for any user).
>You might offload the task by switching over to allow access not based on pwd, but domain permissions, under control by their IT - get master pwd for all roles for debugging.
>
>I can understand unwillingness to change code as you want to sell / curb maintainance.
>But security should trump this - and be payed for accordingly.
>
>my 0.002€
>thomas
>
>>Hi,
>>
>>I am sure I have multiple threads about encrypting a password. But this one is a new sub-topic (I believe).
>>
>>In my VFP 9 application the credentials to the SQL Server are stored in an XML file. The User Name and the Password. The XML has other settings but they are not important for this thread.
>>It has been working this way for many years for many customers and nobody has ever complained.
>>This year I have a new customer. They sent me an email this morning that the Security Officer noticed that the password in the XML file is clearly readable and changeable. So, they ask me to encrypt it.
>>
>>I can do it using the Cipher function (which is used in many other places of my app). But I won't share with them the Cipher key (string used in the Cipher function). Many internals of my app depend on this key. And I don't want to change the design of the application just for one customer. I explained to the customer (in the email) that if I do what they ask for, I will be the only person who will be able to change the password. Which puts them in a precarious situation if I ever go out of business or not available to maintain the app. I have not heard from them as to what they think about this scenario.
>>
>>Meanwhile I have a question. Is there a simple encryption (e.g. API function) in Windows 7 and 10 that I would use it to encrypt the password and call from the VFP 9 application to decrypt? If this were possible, they would be able to encrypt the password (in case it changes in the future) without my help.
>>
>>Again, I emphasize, I don't want to change the application in the way it reads the XML file. The only thing I willing to do, if possible, is to call some internal Windows function to decrypt the password.
>>
>>TIA