10

Currently, I'm storing my usernames & passwords in a SQL Server CE database.

I would like to use some Windows API in order to securely store my user passwords, so that no other application running on the machine could read them.

I'm supporting Windows 7, and so I cannot use Password Vault

I've tried to use the CredWrite and CredRead API, based on the example provided here.

However, while I successfully managed to store and restore my passwords, I also successfully managed to restore them using a completely different application. Meaning that the only security I have is the key I'm using.

Is there any other viable solution?

Seems like anything that use Windows Security Account Manager won't do.

marc_s
  • 732,580
  • 175
  • 1,330
  • 1,459
Mugen
  • 8,301
  • 10
  • 62
  • 140
  • Why are you storing passwords? Isn't that really bad practise? – David Heffernan Aug 16 '15 at 20:42
  • Depending on your scenario, one approach would be to encrypt the passwords yourself (using the cryptography API or the CNG) with a passphrase that the user must enter when your application runs. – Harry Johnston Aug 16 '15 at 21:13
  • @DavidHeffernan UI automation is also another good reason – Ohad Schneider Nov 17 '16 at 11:04
  • @OhadSchneider That makes no sense to me. Are you aware of the concept of salting and hashing passwords? – David Heffernan Nov 17 '16 at 11:12
  • @DavidHeffernan Suppose I have a UI automation script that opens up GMail.com and needs to sign in with some user name and password. I need to have the automation script actually type in the password. What are you proposing? – Ohad Schneider Nov 17 '16 at 11:26
  • @Ohad That's one use case. Not all use cases are like that. Do you think that Google store your passwords? They don't. – David Heffernan Nov 17 '16 at 11:31

2 Answers2

8

Use Data Protection API (DPAPI)

Data is protected by the user account credentials, so it can be retrieved by other application running under same account. Alternatively you can use the machine credentials to give access to services.

See Example C Program: Using CryptProtectData for an example.

DPAPI is used by the vast majority of applications to store passwords.

Remus Rusanu
  • 288,378
  • 40
  • 442
  • 569
  • Anything is keeping any other malicious software that knows my username from encrypting the same string and accessing the SAM? – Mugen Aug 16 '15 at 11:11
  • 4
    @Mugen The password is used in this case, so even if you know the username, you can't read the passwords without the user's password. Bear in mind that applications running in the same context as the user account will be able to read the information, but this is **always** going to be a vulnerability. – Anya Shenanigans Aug 16 '15 at 11:19
1

Since the question is tagged with C#: there is a .NET managed wrapper around DPAPI, which is easier than using Interop code.

A clear example on how to use this can be found here.

If the type ProtectedData cannot be found in the namespace System.Security.Cryptography make sure to add this nuget package:

Install-Package System.Security.Cryptography.ProtectedData

Aage
  • 5,932
  • 2
  • 32
  • 57