I am working on a web based application that will need to store usernames and passwords. Account information will be needed to perform secondary authentication on behalf of users so I can't simply store usernames and passwords using one-way hashing with salt etc.
Assuming that my basic requirement can't change, any suggestions on how to handle the storage of these accounts? Symetric Encryption using the machine key? Using a random key in web.config? Using SQL based encryption?