Storing Passwords in the Registry

I'm writing a NT service (2k/XP) that needs to logon to some remote web services and thus needs access to some passwords that will be entered with an external GUI by the users of the computer where the service runs. I need to strore these passwords in the registry, but don't want them to be readable in plaintext for every user on that computer although every user should be able to set new passwords or overwrite existing ones. I'm looking for a secure solution that is not just based on obscutity (i.e not ROT13 or similar) as the source code for my service will be available to those who might want to spy out other users passwords. I think I cannot rely on user based registry access rights as my service must be able to run without any user looged on to the computer where the service runs. I'd prefer something based to one way hashes (MD5/SHA-1) but the service itself needs the paintext of the passwords to perform the neccessary authentification.

Do you have any idea how to achieve this? And how do other programs like Email clients or Browsers protect their remembered paswords?

Thank you for your help.
LVL 11
x4uAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

jkrCommented:
A one-way hash isn't a good idea, since you can't calculate the PWD from the hash. I'd suggest to use the Protected Storage Service instead: http://msdn.microsoft.com/library/en-us/devnotes/winprog/pstore.asp

Also, http://msdn.microsoft.com/msdnmag/issues/03/11/ProtectYourData/default.aspx ("Protect It:
Safeguard Database Connection Strings and Other Sensitive Settings in Your Code") seems quite promising.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
KrishnaPGCommented:
Dear,

Storing the passwords in registry is not a good idea.  There are better options that involve: Access controls lists (ACL), Data Protection API, Stored Data Accessing using CredUIPromptForCredentials()  etc..

A good article explaining these is available at: http://msdn.microsoft.com/library/en-us/secbp/security/threat_mitigation_techniques.asp

Typically you want to use cryptography (the very thing that is used in secure web browsing) services to encrypt/decrypt your passwords and store these passwords using ACL. Access Control Lists allows files to be secured using custom security management so that they are not as easily accessible as registry, which is open to any one.

Thanking you,
Yours,
P.GopalaKrishna.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft Development

From novice to tech pro — start learning today.