locked
PasswordVault Security - Retrieving Passwords

    Question

  • What stopping other applications from pulling my passwords out of the vault if they know the resource key?  If I store a password with basic auth, can any app pull it out if they know the resource key?  I understand the password vault itself is secure, but can other apps retrieve passwords from it?  I am sure they can't but it would be nice to see it explained somewhere.

    www.techtronic.us - My App www.spaceweatherapp.com

    Sunday, January 27, 2013 8:19 AM

Answers

  • The Credential Locker is isolated between apps. Only the app that creates an entry can retrieve it. You don't see this visible in the API, but it's much along the same lines as using Windows.Storage.ApplicationData.localFolder and such--you get to talk to the stuff your app owns, and that's it.

    Clearly, if the credential locker didn't have such isolation, then apps using the same resource name would easily collide.

    Internally the locker is likely using something like the package name for a key in its own storage, but that's opaque to apps.

    I agree that it'd be good to have this documented more clearly. I'll put in that request--thanks for asking.

    .Kraig

    Sunday, January 27, 2013 11:32 PM

All replies

  • The Credential Locker is isolated between apps. Only the app that creates an entry can retrieve it. You don't see this visible in the API, but it's much along the same lines as using Windows.Storage.ApplicationData.localFolder and such--you get to talk to the stuff your app owns, and that's it.

    Clearly, if the credential locker didn't have such isolation, then apps using the same resource name would easily collide.

    Internally the locker is likely using something like the package name for a key in its own storage, but that's opaque to apps.

    I agree that it'd be good to have this documented more clearly. I'll put in that request--thanks for asking.

    .Kraig

    Sunday, January 27, 2013 11:32 PM
  • Perfect thank you.  I assumed it was, but like you said it is not really documented like isolated storage is.

    www.techtronic.us - My App www.spaceweatherapp.com

    Monday, January 28, 2013 12:17 AM
  • PS.  It wasn't in your book either.  I have been reading it when working on my apps.  It's a great resource!  Thanks for taking the time to reply.

    www.techtronic.us - My App www.spaceweatherapp.com


    Monday, January 28, 2013 12:20 AM
  • Yes, I checked that too, and see that it would help to mention this. I'll do that in the next revision.

    Monday, January 28, 2013 4:41 PM