2

There doesn't seem to be much information on the PasswordVault but it seems to provide for local encryption of credentials.

There are references to it in this source code and this blog.

The reason I'm asking is so I can understand the platform specific features (Windows based OS) and when the code is ported to other platforms using a cross platform compiler such as Xamarin

Glorfindel
  • 2,235
  • 6
  • 18
  • 30
makerofthings7
  • 50,090
  • 54
  • 250
  • 536
  • 1
    Perhaps this should be on stackoverflow? Seems a programming question to me. – Neil Smithline Dec 22 '15 at 17:56
  • I think you may be looking more for information on credential lockers - see here for more high-level information on credential lockers: https://technet.microsoft.com/en-us/library/jj554668.aspx – jth Dec 22 '15 at 20:15
  • @NeilSmithline No, while it does have programming implications, it's a fit here. – Xander Dec 22 '15 at 21:33
  • the github link for PasswordVault says that it requires windows 10. Why do you feel that it is not Platform Specific enough? – JOW May 27 '16 at 14:13

2 Answers2

0

the PasswordVault uses the Windows.Security.Credentials namespace. As of today, this namespace is unavailable in Mono. so the other most popular cross platform compiler just won't work for this feature.

JOW
  • 2,319
  • 2
  • 16
  • 24
0

Secrets stored in Password Vault / Credential Locker are encrypted using the Windows Data Protection API (DPAPI, see also MSDN) and stored in the user's profile directory (to see where, run vaultcmd.exe /list). On Win10, DPAPI uses AES256, and the password is hashed using PBKDF2 with 8000 iterations (or possibly more on recent updates). See this answer for more about that.

DPAPI "master" keys are static for a user but are protected using a password-derived key. This protected master key (stored in the user's profile directory) is unrecoverable if a user's password is forcibly reset (by an administrator or by directly editing the SAM registry hive). Thus, Credential Vault-stored secrets (and everything else protected by DPAPI keys, including Encrypting File System keys) are in effect protected by the quality of your password.

Note that Windows password hashes are terrible (there's some obfuscatory nonsense on top, but at the end of the day the passwords are stored as single-round unsalted MD4 hash digests). This means, if an attacker has administrative access to your machine or physical access to the hard disk (or a backup image thereof), they can attempt to brute-force your Windows password at an astonishing rate (tens of billions of candidates per second, using commodity hardware). An attacker can also simply try to look up your password in a "rainbow table" of pre-computed hashes. A sufficiently good - mostly meaning long - password is still secure, though.

For "Windows Store" sandboxed apps, an additional layer of separation applies. When a particular app uses PasswordVault, it can only see or store credentials for itself. However, I wouldn't count on this as a security benefit; I don't believe it's enforced by any actual security boundaries (e.g. ACLs on the data) and expect an app could just get around this by calling the native APIs directly.

CBHacking
  • 40,303
  • 3
  • 74
  • 98