Is there is a best practices way to store credentials in a .NET Windows application, be it be a built in API or just a recommend encryption algorithm?
Along the same lines as Tortoise SVN, Spotify and Skype.
Edit: My intention is to use a web service that returns a token from it's authentication service. The other services then accept that token as a parameter. However, the token expires after 30 minutes so storing the token itself it pointless for this task.
Best practice is never to store credentials, only Kerberos tokens... unfortunately, not every resource allows such authentication.
It appears that using ProtectedData (which wraps the Windows Data Protection API) is my best bet, as it has the option to encrypt based on the currently logged in user.
byte[] dataToEncrypt = new byte[] { ... };
// entropy will be combined with current user credentials
byte[] additionalEntropy = new byte { 0x1, 0x2, 0x3, 0x4 };
byte[] encryptedData = ProtectedData.Protect(
dataToEncrypt, additionalEntropy, DataProtectionScope.CurrentUser);
byte[] decryptedData = ProtectedData.Unprotect(
encryptedData, additionalEntropy, DataProtectionScope.CurrentUser);
There are a whole lot of recomendations re passwords in MSDN. You're going to need to find a managed wrapper for CryptProtectData