I'm working on a project where I need to store and recover a password. I can't use a salted hash for authentication because the password is used to secure an HTTP connection via HTTP Digest. I'm not in charge of the protocol on the other end, so that means I need the plaintext password to perform the authentication. I can't change this.
Right now the project is just storing the password in plaintext in a config file. I don't like that.
On the Mac side of things, I can use Keychain and I feel fairly comfortable with that.
On the Windows side of things, I feel less sure. Is CryptProtectData with additional entropy good enough? AES instead? Should I just obfuscate the key in code?
I'm not securing anything hyper sensitive, but I am storing a password.
