locked
Credential locker or hashing for storing passwords

    Question

  • In windows 8.1 there is feature called Credential Locker which can be used to save username and passwords. They it stores the credentials in the app's storage on device and it is encrypted. 

    My question is whether it is better to hash passwords and store them  or store them using the credential locker? Which is more secure?

    Monday, September 1, 2014 1:23 PM

Answers

  • Hi Nitilaksha,

    I think the documentation mentioned this problem: How to store user credentials

    Secure storage

    The great advantage that Credential Locker brings to your app is that it stores the user credentials in a secure location, and the credential information is encrypted when it’s stored. Sure, you could store your user credentials in a file in the local storage for your app, but storing user credentials in plain text presents a considerable security hole. If a user’s device is compromised in some way, the user’s username and password would be easy to access and manipulate. However, if the username and password are stored using Credential Locker, the best that a malicious source could get a hold of is an encrypted file.

    Roaming credentials

    As an added benefit to your users, when you store their username and password using Credential Locker, the stored credentials roam with their Microsoft account to any other trusted machine they use with the same Microsoft account. This makes your secure app even more convenient for your users because your app can log them in automatically—without prompting them user for credentials--from any trusted device they have installed your app on and associated with their Microsoft account.

    Things work a little differently for domain accounts. If there are credentials stored with your Microsoft account, and you associate that account with a domain account (such as the account that you use at work), your credentials will roam to that domain account. However, any new credentials added when signed on with the domain account won’t roam. This ensures that private credentials for the domain aren’t exposed outside of the domain.

    Only use the credential locker for passwords and not for larger data blobs. Save passwords in the credential locker only if the following criteria are met:

    • The user has successfully signed in.
    • The user has opted to save passwords.

    --James


    <THE CONTENT IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND, WHETHER EXPRESS OR IMPLIED>
    Thanks
    MSDN Community Support

    Please remember to "Mark as Answer" the responses that resolved your issue. It is a common way to recognize those who have helped you, and makes it easier for other visitors to find the resolution later.

    • Marked as answer by Nitilaksha Tuesday, September 2, 2014 9:58 AM
    Tuesday, September 2, 2014 9:01 AM
    Moderator