Store passwords securely in Windows

Asked 16/8, 2015 at 10:42 Answered 9/6, 2021 at 7:45

Solved c#winapi password-protection account-management passwordvault

Currently, I'm storing my usernames & passwords in a SQL Server CE database.

I would like to use some Windows API in order to securely store my user passwords, so that no other application running on the machine could read them.

I'm supporting Windows 7, and so I cannot use Password Vault

I've tried to use the CredWrite and CredRead API, based on the example provided here.

However, while I successfully managed to store and restore my passwords, I also successfully managed to restore them using a completely different application. Meaning that the only security I have is the key I'm using.

Is there any other viable solution?

Seems like anything that use Windows Security Account Manager won't do.

Seligman answered 16/8, 2015 at 10:42 Comment(6)

Why are you storing passwords? Isn't that really bad practise? – Damon 16/8, 2015 at 20:42

Depending on your scenario, one approach would be to encrypt the passwords yourself (using the cryptography API or the CNG) with a passphrase that the user must enter when your application runs. – Ferdinana 16/8, 2015 at 21:13

@DavidHeffernan UI automation is also another good reason – Killigrew 17/11, 2016 at 11:4

@OhadSchneider That makes no sense to me. Are you aware of the concept of salting and hashing passwords? – Damon 17/11, 2016 at 11:12

@DavidHeffernan Suppose I have a UI automation script that opens up GMail.com and needs to sign in with some user name and password. I need to have the automation script actually type in the password. What are you proposing? – Killigrew 17/11, 2016 at 11:26

@Ohad That's one use case. Not all use cases are like that. Do you think that Google store your passwords? They don't. – Damon 17/11, 2016 at 11:31

Use Data Protection API (DPAPI)

CryptProtectData to store the data
CryptUnprotectData to retrieve the data

Data is protected by the user account credentials, so it can be retrieved by other application running under same account. Alternatively you can use the machine credentials to give access to services.

See Example C Program: Using CryptProtectData for an example.

DPAPI is used by the vast majority of applications to store passwords.

Aluminize answered 16/8, 2015 at 10:45 Comment(2)

Anything is keeping any other malicious software that knows my username from encrypting the same string and accessing the SAM? – Seligman 16/8, 2015 at 11:11

@Seligman The password is used in this case, so even if you know the username, you can't read the passwords without the user's password. Bear in mind that applications running in the same context as the user account will be able to read the information, but this is always going to be a vulnerability. – Skirmish 16/8, 2015 at 11:19

Since the question is tagged with C#: there is a .NET managed wrapper around DPAPI, which is easier than using Interop code.

A clear example on how to use this can be found here.

If the type ProtectedData cannot be found in the namespace System.Security.Cryptography make sure to add this nuget package:

Install-Package System.Security.Cryptography.ProtectedData

Afflatus answered 9/6, 2021 at 7:45 Comment(0)

Recommended topics

Hot tags