I was about to add a question to Raymond's queue
so that I could get a definitive answer from one of the Windows shell gurus when I noticed this question posted June 26, 2004 (Over two years ago??? Does Raymond ever clean that thing out?):
How do I store a user's credentials (username/password for a web site or ftp site) securely?
The typical answer on Windows is to use DPAPI
. Namely, the CryptProtectData
APIs. And store the blob wherever you like. Registry, file system, in your left shoe, whatever. The up-side is that Windows takes care of all of the crypto mess. The down-side is that the key is derived from the user’s SID and password hash, so the encryption is only as strong as the user’s password and possibly a really inept attacker's inability to guess a SID (because any ept hacker could easily either figure it out or start enumerating).
I was the (then later "a") EFS tester at Microsoft for about 3 years. EFS is probably still the primary consumer of DPAPI within the OS. During that time I was also the backup tester for DPAPI.