Saving the password on the machine in this scenario?
I am trying to find a way for my application to store the username and password (which should be retrieved later in raw form after decryption - hashing is not an option). At first glance, I thought of some simple encryption algorithm.
However, most encryption algorithms (even those that use SALT or PEPPER) are wrong in that decompiling a C # executable can easily determine what SALT and PEPPER are and how to decrypt the codes. This can be eliminated by obfuscating the code, but in the long run even that can be broken.
I understand that I can go to extremes here. However, my application will be used by large companies around the world and security is very important (oh, and I'm also hypothetically interested in a solution).
The program will only work on Windows 7 or later.
I originally looked at the ProtectedData class in C #, which makes the password protected for the current user. However, I also want to keep the current program secure (if possible) so that other programs running on the same user cannot retrieve the password.
Finally, I realized that Windows 7 and later have a Credential Manager in Control Panel and that apps can interact with that ( and therefore C # / a>).
However, is Credentials Manager provisioned for the current user and the current program? Can other programs of the same user access the credentials?
If so, is there a way at all to keep this data secure? I trust Windows 7 Credential Manager to be secure enough, but I'm just concerned that other apps are free to grab my app's data.
Edit - it should probably be mentioned that I have a code signing certificate from StartSSL if used. Not sure how this helps, but perhaps you have a clue.
source to share
Who are you trying to protect the password from?
The fact is that if a password is stored on a local computer, then someone who has physical access to this computer can access it. This is a fundamental limitation of security, computer or otherwise.
If this is the password available to the user of your program, then Windows Credential Manager is actually the best solution. If you want the password to be inaccessible to average other software, you can encrypt it. But keep in mind that since you are decrypting locally, there will always be sufficient effort to reverse this decryption regardless of how you provide it (i.e., whether you are using Windows CM or not).
If you don't want the user to be able to get the password, then it is simply not possible to safely store the password on the local computer. You will have to come up with some other means of access, such as having a server that you control that applies a password as needed to a resource on behalf of a user. Of course, then you have a user authentication problem; if someone finds out their password, then they end that user level of access to whatever resource you are trying to protect.
Bottom line: use the tools available, preferably native OS functions. Do not put more effort into security than it justifies the value of the asset, and try very hard to reuse "official" security mechanisms rather than try to invent your own.
source to share