Has anyone used Credential Manager?

Feb 21, 2015 at 1:12 AM
I was wondering if anyone here has used/has a comment on using Windows Credential Manager?

I have a library we've written that implements logging onto various providers websites, ftp, and with a little more luck/elbow grease soon to be SFTP; historically we've been storing the usernames and passwords for each of these remote locations in our sql database.

I've been thinking about storing these identities in the "Windows Credential Manager" instead of the DB and then retrieving the information from there. This is also could be a fairly convenient place to put the host-key...

I think the two biggest drawbacks of this approach are one, it would appear that any application running in the context of the current user could access all the stored credentials (but I'm not exactly sure what an alternative would be... add app_id keys to a whitelist for the credential entry?); and each Credential Database is user specific so multiple people couldn't share the same credential entry (which oftentimes there is just a "firm level" credential for the remote host).

What I like about it is that it's built in, secured at least on a file system level, can store keys, windows ids, and certificates; and I don't like just about everything else (windows specific, it seems that any virus could just scan through it, nothing about it gets shared with other users)...

Comments appreciated.

Thanks,
Mike
Feb 24, 2015 at 3:32 PM
In powershell, there are two very usefull functions to store Passwords in local files:
1) ConvertTo-SecureString
2) ConvertFrom-SecureString

Load securestring Password from file:
$securepassword = Get-Content $FileName | ConvertTo-SecureString

Save securestring Password to a file:
ConvertFrom-SecureString $securepassword | Out-File $private:file -Encoding Default

of course, the $securepassword is a SecureString and you Need to convert it to string in order to use it with ssh:
function Convert-SecureStringToString {
[CmdletBinding()]
param(
  [parameter(Mandatory=$true)]
    [System.Security.SecureString]$String)
$private:bstr = [System.Runtime.InteropServices.Marshal]::SecureStringToBSTR($String)
try {
    return [System.Runtime.InteropServices.Marshal]::PtrToStringAuto($private:bstr)
} finally {
    [System.Runtime.InteropServices.Marshal]::ZeroFreeBSTR($private:bstr)
}
}

a full powershell program will look like this:

Create credential file...

$securepassword = ConvertTo-SecureString "mypassword" -AsPlainText
ConvertFrom-SecureString $securepassword | Out-File $FileName -Encoding Default

Use the credential file...

$securepassword = Get-Content $FileName | ConvertTo-SecureString
$ssh = New-Object Renci.SshNet.SshClient($HostName, $UserName, $(Convert-SecureStringToString $securepassword))

For details please check the MSDN documentaiton.
Feb 24, 2015 at 6:34 PM
That's a pretty convenient way to implement storing/retrieved encoded strings in PowerShell. I likely have some uses for that. :)

Regarding comparing this to Windows Credential Manager or the SQL DB approach:
1) This assumes that only the secure password string is in the file; no username, no url, no protocol, no other configuration details (like starting directory). One of the main benefits of the SQL DB/CredMan approach is that many different credentials and some limited additional information could be stored along with it.
Now, this isn't much of a problem because you can just make your encrypted string in a file approach just a bit more complicated so that it can store many user names, passwords, and protocol/url destinations; and before too long you've just created a reimplementation for Windows Credential Manager. :)
Check out this link: https://gallery.technet.microsoft.com/scriptcenter/PowerShell-Credentials-d44c3cde

2) I might be wrong about Windows Credential Manager, but at the moment I haven't seen a way to create a shared credential repository. This solution is file based, so it could be centralized on a directory share, and that's definitely better than a "per user" silo. We're already using a SQL DB which is wrapped by a .Net library.

What I'd really prefer is a "both" kind of solution, where as part of CredMan I can select which "Vault" to open (or supply a file name to be the vault I want to work with).
Feb 24, 2015 at 7:46 PM
Hi Mike,
the suggestion was made because it is very simple to provide a sample program where you don't want to keep Passwords visible. It is very simple to make a sample program and instruct the user on how to create a "Password" file. Later you just copy the whole Thing without Password file and you are safe 100%. In my particular case, I have filenames associated to user and hostnames (like emails: filename = username(at)hostname, where I must escape Special characters).

1) Yes, the sample is very simple. A more complicated solution may use ini files (with GetPrivateProfileString).

2) In no way you can use my sample with "Shared repositories". At least not over Machine boundary. The encryption algorihms are based on Machine and (by Default) on User keys. If you Run your program on another machine you will not be able to decrypt the Passwords. Because of that, I suggested to check the documentation.
As far as I remember, with CredentialManager the constrains are the same.