Tuesday, September 12, 2006

Storing Credentials on Windows

I was about to add a question to Raymond's queue so that I could get a definitive answer from one of the Windows shell gurus when I noticed this question posted June 26, 2004 (Over two years ago??? Does Raymond ever clean that thing out?):

How do I store a user's credentials (username/password for a web site or ftp site) securely?
The typical answer on Windows is to use DPAPI. Namely, the CryptProtectData and CryptUnrprotectData APIs. And store the blob wherever you like. Registry, file system, in your left shoe, whatever. The up-side is that Windows takes care of all of the crypto mess. The down-side is that the key is derived from the user’s SID and password hash, so the encryption is only as strong as the user’s password and possibly a really inept attacker's inability to guess a SID (because any ept hacker could easily either figure it out or start enumerating).
I was the (then later "a") EFS tester at Microsoft for about 3 years. EFS is probably still the primary consumer of DPAPI within the OS. During that time I was also the backup tester for DPAPI.

Comments: Post a Comment

Links to this post:

Create a Link



<< Home

This page is powered by Blogger. Isn't yours?