By using this site, you agree to our updated Privacy Policy and our Terms of Use. Manage your Cookies Settings.
424,837 Members | 1,195 Online
Bytes IT Community
+ Ask a Question
Need help? Post your question and get tips & solutions from a community of 424,837 IT Pros & Developers. It's quick & easy.

How to securely store passwords in .NET applications?

P: n/a
How does Windows store passwords that it uses? For instance, when you
install a service, you can provide it the username and password. This
information is stored somehow so that at a later date the service can start
without interaction from the user. Also for COM+ components.

This is what I want to be able to do. I want the ability to store passwords
in a protected manor so that my .NET application can start a secure process
at a later time. Maybe some built-in mechanism in Windows or some framework
classes?

Nov 15 '05 #1
Share this Question
Share on Google+
2 Replies


P: n/a
Search for DPAPI (data protection API). Only available on XP though.

Another search you can do is Key Store. Some people have written managed key
stores or key stores that integrate with the older NT api. In any case, it's
also data protection used to store secrets (like encryption keys and
passwords).

-Rob [MVP]
"Peter Rilling" <pe***@nospam.rilling.net> wrote in message
news:Od**************@TK2MSFTNGP12.phx.gbl...
How does Windows store passwords that it uses? For instance, when you
install a service, you can provide it the username and password. This
information is stored somehow so that at a later date the service can start without interaction from the user. Also for COM+ components.

This is what I want to be able to do. I want the ability to store passwords in a protected manor so that my .NET application can start a secure process at a later time. Maybe some built-in mechanism in Windows or some framework classes?


Nov 15 '05 #2

P: n/a
Thanks.

I am using DP for some of my code so I am familiar with it. But I am not
sure if I can use it to secure my passwords.

Is this how Windows saves the passwords for a Windows services or COM+
component. From what I know about DP, it uses the credentials of the
current user as the key to the encryption/decryption of data. This is fine
if I want to limit the encrypted information to the current user.

Let's take an example of a Windows service (you know, the programs that can
automatically start when the machine boots). Suppose that I install a
service application. I give that application the username and password for
some account. That information is stored somewhere, I assume in some
secured format. Later that day, the machine starts up. Upon boot, the
service that I installed is launched. (At this point in time, there is no
user context, so I would image that this information is not stored using the
DP API.) The password is retrieved by Windows (whatever process controls
the launching of services) and what information is passed to the
LoginUser(...) where it then uses the returned ticket. The other
alternative would be to store information at the machine level, but then any
one with access to the machine and decrypt the information.

This is similar to what I would like to do. I want to encrypt some password
information. Store it. Then be able to use that information to call the
LoginUser(...) API function so that I can impersonate the current user when
my application requires certain resources. My application would be usable
by any account and my application should have access to a single username
and password that is defined by an administrator. This way, the application
can access these external resources by a single password, and that password
is secure so that none of the users to the system will be able to determine
what the is password and use it for other purposes.

"Rob Teixeira [MVP]" <RobTeixeira@@msn.com> wrote in message
news:OX**************@TK2MSFTNGP10.phx.gbl...
Search for DPAPI (data protection API). Only available on XP though.

Another search you can do is Key Store. Some people have written managed key stores or key stores that integrate with the older NT api. In any case, it's also data protection used to store secrets (like encryption keys and
passwords).

-Rob [MVP]
"Peter Rilling" <pe***@nospam.rilling.net> wrote in message
news:Od**************@TK2MSFTNGP12.phx.gbl...
How does Windows store passwords that it uses? For instance, when you
install a service, you can provide it the username and password. This
information is stored somehow so that at a later date the service can

start
without interaction from the user. Also for COM+ components.

This is what I want to be able to do. I want the ability to store

passwords
in a protected manor so that my .NET application can start a secure

process
at a later time. Maybe some built-in mechanism in Windows or some

framework
classes?



Nov 15 '05 #3

This discussion thread is closed

Replies have been disabled for this discussion.