Windows equivalent of OS X Keychain?

security windows passwords

Is there an equivalent of the OS X Keychain, used to store user passwords, in Windows? I would use it to save the user's password for a web service that my (desktop) software uses.

From the answers to this related question (Protecting user passwords in desktop applications (Rev 2)) and the multitude of third party password storage tools available, I assume that such a thing doesn't exist-- Am I stuck with either asking for the password each time I access the web service, or just storing it obfuscated?


Solution 1:

It is year 2018, and Windows 10 has a "Credential Manager" that can be found in "Control Panel"

Solution 2:

The "traditional" Windows equivalent would be the Protected Storage subsystem, used by IE (pre IE 7), Outlook Express, and a few other programs. I believe it's encrypted with your login password, which prevents some offline attacks, but once you're logged in, any program that wants to can read it. (See, for example, NirSoft's Protected Storage PassView.)

Windows also provides the CryptoAPI and Data Protection API that might help. Again, though, I don't think that Windows does anything to prevent processes running under the same account from seeing each other's passwords.

It looks like the book Mechanics of User Identification and Authentication provides more details on all of these.

Eclipse (via its Secure Storage feature) implements something like this, if you're interested in seeing how other software does it.

Solution 3:

Windows 8 has a notion of a keychain called Password Vault. Windows Runtime apps (Modern/Metro) as well as managed desktop apps can make use of it. According to the documentation:

Apps and services don't have access to credentials associated with other apps or services.

See How to store user credentials on MSDN.

Pre-Windows 8, Data Protection API (DPAPI) is the closest equivalent to a keychain. Arbitrary data can be encrypted using this API, although storing the encrypted data is up to the developer. The data is ultimately encrypted using the current user's password, however user or developer supplied "optional entropy" could be included to further protect the data from other software or users. The data can also be decrypted on different computers in a domain.

DPAPI can be accessed through native calls to Crypt32.dll's CryptProtectData and CryptUnprotectData functions or through .NET Framework's ProtectedData class, which is a limited feature wrapper for the former functions.

More information than you ever needed to know about DPAPI is available in Passcape's article DPAPI Secrets. Security analysis and data recovery in DPAPI.

Solution 4:

Actually, looking through MSDN, the functions they recommend using (instead of Protected Storage) are:

  • CryptProtectData
  • CryptUnprotectData

The link for CryptProtectData is at CryptProtectData function.

Solution 5:

OS X keychain equivalent is Credential Manager in windows.

Related

Windows 10, how can I find out what ran a powershell script at a certain time
Extract string after a delimiter like "/ " OpenOffice Calc
Where is the data used in secure boot process stored?
How to print PDF to postscript in OSX?
Git Install only command line tools
What does laptop HDD "Specification supported SPC-4" means?
Prevent chainloading by grub after rEFind
Why is my backup file larger than the capacity of all backed up hard drives?
Excel 2013 slow when Cell Editing
(how to) Change back to Win + N shortcut in OneNote 2013 to create new Quick Note?
How to make it to where players can place a lever on a certain block? Adventure Mode [duplicate]
How to change the message "*!* whispers to you"?