Windows equivalent of OS X Keychain?

Question

Is there an equivalent of the OS X Keychain, used to store user passwords, in Windows? I would use it to save the user's password for a web service that my (desktop) software uses.

From the answers to this related question (Protecting user passwords in desktop applications (Rev 2)) and the multitude of third party password storage tools available, I assume that such a thing doesn't exist-- Am I stuck with either asking for the password each time I access the web service, or just storing it obfuscated?

Answer 1

The "traditional" Windows equivalent would be the Protected Storage subsystem, used by IE (pre IE 7), Outlook Express, and a few other programs. I believe it's encrypted with your login password, which prevents some offline attacks, but once you're logged in, any program that wants to can read it. (See, for example, NirSoft's Protected Storage PassView.)

Windows also provides the CryptoAPI and Data Protection API that might help. Again, though, I don't think that Windows does anything to prevent processes running under the same account from seeing each other's passwords.

It looks like the book Mechanics of User Identification and Authentication provides more details on all of these.

Eclipse (via its Secure Storage feature) implements something like this, if you're interested in seeing how other software does it.