> I have a strong preference for portable, transparent solutions. That I can understand and would always be the best solution, but not always possible.
> There is also the small point that it has been broken (see Wikipedia). As I read it, it was mostly before Windows XP. Since Windows Server 2003/Windows 7, a lot of changes in DPAPI has made it more secure. The security analysis from Passcape concludes: "DPAPI deserves such close attention at least for the fact that it's the only password-based system that provides appropriate and thoroughly thought out protection of user's personal data. None of the operating systems has a more viable alternative to DPAPI! We should, perhaps, mention that the first implementation of DPAPI had a number of serious flaws, which could enable a potential malefactor to easily compromise user's data protected by DPAPI. The first pancake is known to be always lumpy. In all the sequel operating systems, beginning with Windows XP, those vulnerabilities have not merely been eliminated; the entire DPAPI system has undergone a major revision. In particular, it has adopted new encryption algorithms; that has made the Master Key password lookup speed about 1000 (!) times slower. Master Key encryption errors that potentially allowed any user to gain access to any files encrypted by EFS were fixed. The local Master Key backup system has been replaced with the password reset disk, etc. Overall, the DPAPI encryption system has become more robust, powerful, meeting the stringent requirements of password security." Brian Vraamark ------------------------------------------------------------------------------ Firebird-Devel mailing list, web interface at https://lists.sourceforge.net/lists/listinfo/firebird-devel
