I had read that the most secure way to make the connection from ASP.NET to SQL Server was to use windows authentication to the SQL Server database by forcing .NET to impersonate a local user. All good there.

However, when I impersonate, I still need to expose the password in the web.config file ( just as I was previously exposing the db password in my web.config ).

So, what gives? One of the reasons cited in the article I read about windows authentication ( I think i read it in the recent security issue of MSDN Mag ) being so great is that you didn't have to deal with the password.

Feedback anyone?

Dave