You are reviewing an application that accesses a SQL Server database. The application uses the following connection string:

MultipleActiveResultSets=True;Encrypt=True;Persist Security Info=True;
user id=username;password=password;database=northwind;server=dataServer

where username is the SQL Server login and password is the password associated with that account.

You need to minimize the chance that malicious code can access SQL login credentials.

Which configuration string parameter should you set?

Use Persist Security Info=False. The default value for Persist Security Info is False; use this default in all connection strings. Setting Persist Security Info to True or Yes allows security-sensitive information, including the user ID and password, to be obtained from a connection after it has been opened. When Persist Security Info is set to False or No, security information is discarded after it is used to open the connection, ensuring that an untrusted source does not have access to security-sensitive information.