Store passwords securely in Windows

Question

Currently, I'm storing my usernames & passwords in a SQL Server CE database.

I would like to use some Windows API in order to securely store my user passwords, so that no other application running on the machine could read them.

I'm supporting Windows 7, and so I cannot use Password Vault

I've tried to use the CredWrite and CredRead API, based on the example provided here.

However, while I successfully managed to store and restore my passwords, I also successfully managed to restore them using a completely different application. Meaning that the only security I have is the key I'm using.

Is there any other viable solution?

Seems like anything that use Windows Security Account Manager won't do.

Answer 1

Use Data Protection API (DPAPI)

• CryptProtectData to store the data
• CryptUnprotectData to retrieve the data

Data is protected by the user account credentials, so it can be retrieved by other application running under same account. Alternatively you can use the machine credentials to give access to services.

See Example C Program: Using CryptProtectData for an example.

DPAPI is used by the vast majority of applications to store passwords.

Answer 2

Since the question is tagged with C#: there is a .NET managed wrapper around DPAPI, which is easier than using Interop code.

A clear example on how to use this can be found here.

If the type ProtectedData cannot be found in the namespace System.Security.Cryptography make sure to add this nuget package:

Install-Package System.Security.Cryptography.ProtectedData