5

I was wondering if the DPAPI will still work properly if a user doesn't have a a login password (like most of the home users). I can't find this information on Google or in the official documentation and I can't test it because the computers at work can't be without a password.

Gilles 'SO- stop being evil'
  • 50,912
  • 13
  • 120
  • 179
Fabio
  • 65
  • 4

1 Answers1

2

Yes, but it's not quite as secure. DPAPI encrypts data with a master key, which is independent of the user password. When the user has a password, the master key is encrypted with the user's password. Without a password, an attacker with local access (via another user account) might extract the master key. However, once an attacker has local access to the system it's game over anyway. DPAPI is just a damage limitation system, really.

Polynomial
  • 132,208
  • 43
  • 298
  • 379
  • 1
    Smallish correction: the master key is encrypted using the account's RSA keys, which in turn are protected using the user's password. Still the same answer, though. – AviD Oct 15 '12 at 11:07