Keeping passwords in the registry as "secrets"

views:

654

answers:

+3 Q:

Keeping passwords in the registry as "secrets"

I need to store my users' name/password somewhere (preferably the Registry) so my .Net application can use them to log in to some remote service on behalf of the user. I know it's possible to store values in the registry as "secrets", which means their encrypted using the Windows domain user token or something. In other words, I don't want to have to deal with the encryption myself.

To clarify: I can't store hashes of the password or salt them or anything. These credentials are for a 3rd party system and the only way for me to be able to login to this system on behalf of my users is to somehow keep their credentials and be able to restore them.

So anyway, I remember vaguely there's such a place in the registry, but the details are murky. And I need to do it in C# (though if it's simple registry access it shouldn't matter).

Edit: One more thing, it should persist between Windows user sessions (IOW it doesn't help me if the password in unreadable after the user logs off and on).

+10 A:

You're probably thinking of the Data Protection API. Search MSDN or read some blogs and see if that'll work for you.

overslacked 2009-03-17 17:04:08

Yes, good catch! DPAPI seems to be what the OP is talking about.

Cerebrus 2009-03-17 17:05:56

Would the encryption be persistent over user sessions? (i.e. if the user logs off and back on or if enough time passes, would the data still be readable)?

Assaf Lavie 2009-03-17 17:56:35

+4 A:

You can try using System.Security.Cryptography.ProtectedData, which can encrypt them using a per user key. http://msdn.microsoft.com/en-us/library/system.security.cryptography.protecteddata.aspx.

It's not completely secure, since code running as the user could decrypt the data.

Michael 2009-03-17 17:05:10

Would the encryption be persistent over user sessions? (i.e. if the user logs off and back on or if enough time passes, would the data still be readable)

Assaf Lavie 2009-03-17 17:55:57

Yes, it's a per-user encryption key.

Michael 2009-03-17 18:20:45

You should never store credentials as plaintext. Use a symmetric key cipher. Take the password out at runtime. See the MSDN reference on Cryptography functions.

dirkgently 2009-03-17 17:07:27

What do you mean by taking the password out at runtime? If I use a symmetric key than anyone that examines the binary can pull it out.

Assaf Lavie 2009-03-17 17:57:42

Fudge the binary. Use multiple hashes. Taking the password out will mean decryption. This is much, much better than plaintext password any given day.

dirkgently 2009-03-17 18:09:38

+1 A:

Keep in mind that you're not really securely storing anything if you can automatically (without user input) retrieve the password. Using RSA, symmetric, or other encryption doesn't make a difference so long as you store the decoding key within your application. Once anyone gets the key, the secret's out.

However, the Data Protection API mentioned above should protect passwords from other users on the same machine. (It sounds like DPAPI uses your login credentials for encryption.)

For a few more options, check out the msdn page for Threat Mitigation.

pydave 2009-03-17 17:58:26

ansaurus

tags:

views:

answers:

Keeping passwords in the registry as "secrets"

related questions