1

I'm using Windows Credential Manager to store login credentials for users of my application in order to support a 'Remember me' like feature. I am wondering how storing user credentials in this way is secure. The reason I am curious is that if it is so easy for me to retrieve a user's password from this system then surely it is just as easy for someone else to write a program that performs the same query to retrieve a user's password. Are the user credentials locked down to an individual application? Any answers are greatly appreciated.

For reference I am using the code from: Encrypting credentials in a WPF application . To read and write the user credentials to the Windows Credential Manager.

Community
  • 1
  • 1
user3412625
  • 99
  • 1
  • 8
  • 3
    Credentials are not locked to an application. Malicious applications can read the data if they so desire. There's even [Network Password Recovery](http://www.nirsoft.net/utils/network_password_recovery.html). It's protected by the user's logon password, so it's secure in that manner (i.e. you can't read them from another account). The security is in the [airtight hatchway](http://stackoverflow.com/questions/2787853/). – Anya Shenanigans Jan 21 '15 at 00:33
  • Is that not pretty terrible/useless? – user3412625 Jan 21 '15 at 02:45
  • 2
    It's not terrible - if you have access to the passwords, then things that run as you also have access to them; it's just a matter of how many hoops they have to go through to access them. It's the mechanism that windows itself uses for remembering passwords for network shares, etc. To be perfectly honest, if you want a 'remember me' feature that stores a password, then there is no way in software for preventing a malicious program from getting it regardless of where you store it. because if your app has to get it then any other app could copy it from you. – Anya Shenanigans Jan 21 '15 at 07:46

0 Answers0