Storing a password safely on the machine in this scenario?

Question

I am trying to find a way for my application to store a username and password (which must be retrieved later in raw form after decrypting - hashing is not an option). At first glance, I thought of some simple encryption algorithm.

However, most encryption algorithms (even the ones using a SALT or PEPPER) are flawed in that decompiling the C# executable can easily tell what the SALT and PEPPER is, and how the codes are decrypted. This can be fixed by obfuscating the code - however, ultimately even that can be broken.

I realize I might be going into extremes here. However, my application will be used by major companies around the world, and security is super important (oh, and I am also hypothetically interested in a solution).

The program will only run on Windows 7 or later.

Initially I looked into the ProtectedData class in C#, which makes the password secure for the current user. However, I want security for the current program as well (if possible), so that other programs running on the same user can't fetch the password.

Then finally, I realized that Windows 7 and later has a Credentials Manager in the control panel, and that applications can interact with this (and so can C#).

However, is the Credentials Manager secured to the current user, and the current program as well? Can other programs on the same user still access the credentials?

If yes, does there even exist a way of securing this data entirely? I trust in Windows 7's Credential Manager to be safe enough, but I am just concerned that other applications can freely take my application's data.

Edit - it should probably be mentioned that I have a code signing certificate from StartSSL if that's of any use. Not sure how that would help though, but maybe you have a clue.

Answer 1

From whom are you trying to protect the password?

The fact is, if the password is stored on the local computer, then someone who has physical access to that computer can access it. This is a fundamental limitation of security, computer or otherwise.

If it is a password that is fine for the user of your program to access, then Windows Credential Manager is in fact the best solution. If you want the password inaccessible to the average other piece of software, then you can encrypt it. But note that since you are decrypting locally, it will always be possible given sufficient effort to reverse engineer that decryption, regardless of the means of securing it (i.e. whether you use Windows CM or not).

If you don't want even the user to be able to get at the password, then it's simply not possible to safety store the password on the local machine. You'd have to come up with some other means of access, such as having a server you control that applies the password as needed to the resource on behalf of the user. Of course, then you have the problem of authenticating the user; if someone discovers their password, then they wind up with that user's level of access to whatever resource you're trying to protect.

The bottom line: use the available tools, preferably built-in OS features. Don't put more effort into security than is justified by the value of the asset, and try really hard to reuse "official" security mechanisms rather than trying to reinvent your own.