Secure Storage of Secrets in Windows

[aleph1 () UNDERGROUND ORG (Aleph One)]

Not long ago we discussed why you still see messages that describe
yet another application that stores passwords in an insecure manner,
in particular under Windows. The bottom line was that there are two
common cases.

The first one is where an application needs to authenticate a user
again the password. In many of these cases the plaintext password
can be replaced by a one way hash with little or no loss of functionality.
The second case is that where an application requires the password
to authenticate itself against a service on behalf of the user but
without prompting them for the password after the first time.

Several people mentioned that an application or agent could be created
that can store securely these secrets for many applications. The user
would then only need to authenticate itself once again this application
or agent to allow any other applications running under its id to request
their secrets. Although this system does not stop rouge applications
(e.g. trojans, BackOrifice) from stealing the secrets, it does stop a whole
range of vulnerabilities from doing so (e.g. javascript file stealing
vulnerabilities, world-readable shares, etc).

The Win32 API provides such service. Although in the past it was found
that its encryption was rather weak Microsoft claims to have fixed it,
no one else has claimed otherwise, and its better than nothing.
(References: http://www.netsys.com/firewalls/firewalls-9512/0442.html
http://www.geek-girl.com/bugtraq/1995_4/0138.html ).

So here is a reminder to Windows application programs that you can use
WNetCachePassword and WNetGetCachedPassword, which in some documentation
MS calls the Master Password API.

--
Aleph One / aleph1 () underground org
http://underground.org/
KeyID 1024/948FD6B5
Fingerprint EE C9 E8 AA CB AF 09 61  8C 39 EA 47 A8 6A B8 01