I was wondering if anyone here has used/has a comment on using Windows Credential Manager?
I have a library we've written that implements logging onto various providers websites, ftp, and with a little more luck/elbow grease soon to be SFTP; historically we've been storing the usernames and passwords for each of these remote locations in our sql database.
I've been thinking about storing these identities in the "Windows Credential Manager" instead of the DB and then retrieving the information from there. This is also could be a fairly convenient place to put the host-key...
I think the two biggest drawbacks of this approach are one, it would appear that any application running in the context of the current user could access all the stored credentials (but I'm not exactly sure what an alternative would be... add app_id keys to a whitelist for the credential entry?); and each Credential Database is user specific so multiple people couldn't share the same credential entry (which oftentimes there is just a "firm level" credential for the remote host).
What I like about it is that it's built in, secured at least on a file system level, can store keys, windows ids, and certificates; and I don't like just about everything else (windows specific, it seems that any virus could just scan through it, nothing about it gets shared with other users)...
Comments appreciated.
Thanks,
Mike
I have a library we've written that implements logging onto various providers websites, ftp, and with a little more luck/elbow grease soon to be SFTP; historically we've been storing the usernames and passwords for each of these remote locations in our sql database.
I've been thinking about storing these identities in the "Windows Credential Manager" instead of the DB and then retrieving the information from there. This is also could be a fairly convenient place to put the host-key...
I think the two biggest drawbacks of this approach are one, it would appear that any application running in the context of the current user could access all the stored credentials (but I'm not exactly sure what an alternative would be... add app_id keys to a whitelist for the credential entry?); and each Credential Database is user specific so multiple people couldn't share the same credential entry (which oftentimes there is just a "firm level" credential for the remote host).
What I like about it is that it's built in, secured at least on a file system level, can store keys, windows ids, and certificates; and I don't like just about everything else (windows specific, it seems that any virus could just scan through it, nothing about it gets shared with other users)...
Comments appreciated.
Thanks,
Mike