Windows equivalent of OS X Keychain?

windows security passwords
142,250

Solution 1

The "traditional" Windows equivalent would be the Protected Storage subsystem, used by IE (pre IE 7), Outlook Express, and a few other programs. I believe it's encrypted with your login password, which prevents some offline attacks, but once you're logged in, any program that wants to can read it. (See, for example, NirSoft's Protected Storage PassView.)

Windows also provides the CryptoAPI and Data Protection API that might help. Again, though, I don't think that Windows does anything to prevent processes running under the same account from seeing each other's passwords.

It looks like the book Mechanics of User Identification and Authentication provides more details on all of these.

Eclipse (via its Secure Storage feature) implements something like this, if you're interested in seeing how other software does it.

Solution 2

It is year 2018, and Windows 10 has a "Credential Manager" that can be found in "Control Panel"

Solution 3

Windows 8 has a notion of a keychain called Password Vault. Windows Runtime apps (Modern/Metro) as well as managed desktop apps can make use of it. According to the documentation:

Apps and services don't have access to credentials associated with other apps or services.

See How to store user credentials on MSDN.

Pre-Windows 8, Data Protection API (DPAPI) is the closest equivalent to a keychain. Arbitrary data can be encrypted using this API, although storing the encrypted data is up to the developer. The data is ultimately encrypted using the current user's password, however user or developer supplied "optional entropy" could be included to further protect the data from other software or users. The data can also be decrypted on different computers in a domain.

DPAPI can be accessed through native calls to Crypt32.dll's CryptProtectData and CryptUnprotectData functions or through .NET Framework's ProtectedData class, which is a limited feature wrapper for the former functions.

More information than you ever needed to know about DPAPI is available in Passcape's article DPAPI Secrets. Security analysis and data recovery in DPAPI.

Solution 4

Actually, looking through MSDN, the functions they recommend using (instead of Protected Storage) are:

  • CryptProtectData
  • CryptUnprotectData

The link for CryptProtectData is at CryptProtectData function.

Solution 5

OS X keychain equivalent is Credential Manager in windows.

Share:
142,250
dF.
Author by

dF.

__ _ o'')}____// `_/ ) (_(_/-(_/ ~~~~~~~~~~~

Updated on January 27, 2022

Comments

  • dF.
    dF. over 2 years

    Is there an equivalent of the OS X Keychain, used to store user passwords, in Windows? I would use it to save the user's password for a web service that my (desktop) software uses.

    From the answers to this related question (Protecting user passwords in desktop applications (Rev 2)) and the multitude of third party password storage tools available, I assume that such a thing doesn't exist-- Am I stuck with either asking for the password each time I access the web service, or just storing it obfuscated?

  • rogerdpack
    rogerdpack over 11 years
    doesn't look like this protects separate apps from reading each other's data...
  • Spig
    Spig over 9 years
    Passing pOptionalEntropy can provide some protection from other apps reading your apps data when running under the same context.
  • Spig
    Spig over 9 years
    Protected Storage has been deprecated post-XP/2k3 and is read-only in Window Vista and Server 2008: msdn.microsoft.com/en-us/library/bb432403%28v=vs.85%29.aspx
  • Geremia
    Geremia almost 9 years
    Wow, is security really this hard in Windows?
  • etiennejcharles
    etiennejcharles over 5 years
    This response is perfect Thanks !
  • Gabriel
    Gabriel over 3 years
    Credential dumping on Windows, even with "Credential Manager" is still an issue, and I don't think there is any way to prevent it outside of special hardware. MacOS keychain doesn't have this issue and so I don't think there is an equivalent.
  • breakpoint
    breakpoint about 2 years
    Consider the techniques discussed here to help mitigate this risk: reliaquest.com/blog/…
  • breakpoint
    breakpoint about 2 years
    Please note these attack mitigation techniques, if you go this route: reliaquest.com/blog/…
  • Joshua Swain
    Joshua Swain about 2 years
    Credentials Manager doesn't allow you to view/copy the password though

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Determine password expiry date
Are the losses of resetting a Windows password reversible?
Can I create a Windows user account without the ability for an interactive user login?
How to dump the Windows SAM file while the system is running?
Why can't I connect to the wireless network after the network password was changed?
How to list all openssl ciphers available in statically linked python releases?
Is the c++ hash function reasonably safe for passwords?
CryptographicException: Access denied - How to give access on User store?
password limitations in SQL Server and MySql
How to get user password expiration date from Active Directory?