My problem with the Windows Credential Manager is that it advertises that using it through its provided GUI and or API is secure. I realize there are measures you can take to encrypt contents before storing them, hashing them correctly etc, but my criticism still applies because doing these additional things is creating security, not the Windows Credential Manager. It's not safe, it's a piece of garbage and I've struggled for a long time to understand its usefulness, except for Microsoft to apparently have plain text copies of all of your passwords they can sell to the NSA. So passwords are not safe, hashes and such you verify to lock something are not safe. What's even sillier is that the Control Panel will show asterisks, but if you use code accessing the applicable APIs, you can get the values in plain text. Delete your hash, put in their own they're in. 10:40 AM Good news, i hope to see it soon because even on windows 10 (for Gog galaxy who ask password every start), its very annoying to do, edge -> menu -> password -> search gog -> eye -> fingerprint -> triple clic to select the password -> ctrl + c -> ctrl +v, and copy another random text to erase it from the clipboard. A user can visit the Credential Manager in the Control Panel and, though the values show up in asterisks, (*****), they can simply erase the value and replace it. The same user, trying to bypass this, can do so easily. in the last one, backing up the credentials and restoring them works for me, including the web credentials. and an alternative GUI: rundll32.exe keymgr.dll, KRShowKeyMgr. Let's take the example of a content filter that locks the settings page to keep the kids from enabling adult content, using the Credential Manager to store custom credentials. There are at least two other ways to access your credentials: a command line program: cmdkey.exe. Lets think about "secure" in the sense of locking an application locally. However, since any elevated process the user runs has full read/write capability on that user's credential store, it simply can't be trusted at all. The only semi secure way of using the Windows Credential Manager is to store values pre-hashed, then verify those hashes. It's "secure" at the user account level, which means that any process that the user ever runs and the user themselves must necessarily be trusted in order to call this system "secure" with a straight face. The Windows Credential Manager is anything but secure.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |