This is How They Will Discover Secrets You Hide
If you publish your code on the internet then first They will use Google CodeSearch. For example, try looking for "initial catalog":
If They are lucky and They have your binaries then Reflector might help looking for juicy hard coded strings but I believe They will chose to get all the strings using simple tool that ships with Windows, FindStr, in conjunction with ILDASM that ships with .Net SDK or Visual Studio
Ildasm.exe secureapp.dll /text | findstr ldstr
IL_000c: ldstr "RegisterUser"
IL_0027: ldstr "@userName"
IL_0046: ldstr "@passwordHash"
IL_003e: ldstr "Logon successful: User is authenticated"
IL_0050: ldstr "Invalid username or password"
IL_0001: ldstr "Server=AppServer;database=users; username='sa'; password=password"
How to get protected?
- Do not hard code sensitive information.
- Use windows authentication whenever possible thus avoiding managing credentials.
- Use platform features to protect sensitive information.
Full how-to index here: http://msdn.microsoft.com/library/en-us/dnpag2/html/SecurityHowTosIndex.asp?frame=true