We are using DPAPI method to protect password for our application using the below code. We checked and found that other users were able to decrypt the password if elevated privileges were gained.
Imports System.Text
Imports System.Reflection
Imports System.Security.Cryptography
Public Class Form1
Private Sub Form1_Load(sender As System.Object, e As System.EventArgs) Handles MyBase.Load
'Dim b As String = Protect("Password@123")
'System.IO.File.AppendAllText("\\PC-NAME\D\1.txt", "start " & b & vbNewLine)
'MsgBox(b)
' MsgBox(Unprotect(b))
MsgBox(Unprotect("AQAAANCMnd8BFdERjHoAwE/Cl+sBAAAApnUIqLR6vkqzZqDYfVAOrQAAAAACAAAAAAAQZgAAAAEAACAAAADM2Pzu5Z/KjrjQtBzfXXu1YChtK1CMJCP98vFcvRxshwAAAAAOgAAAAAIAACAAAAB7DFmhHkBTe2OaCUUo34ey469wTHulPoe9yCQzNlFR9BAAAADLF/JyBrVjvDA+h0N93GymQAAAAHA2uT7YL8W9KRCqQmdaNKHFJPUmIaG56ufOggvFrRwK5Owto6+6yRDrUUn76Ipj/v3tsgpr3YK66yNhMC+ahWE="))
'System.IO.File.AppendAllText("\\PC-NAME\D\1.txt", "unprotected " & Unprotect(b) & vbNewLine)
End Sub
Public Shared Function Protect(ByVal str As String) As String
Dim entropy As Byte() = Encoding.ASCII.GetBytes(Assembly.GetExecutingAssembly().FullName)
Dim data As Byte() = Encoding.ASCII.GetBytes(str)
Dim protectedDatas As String = Convert.ToBase64String(ProtectedData.Protect(data, entropy, DataProtectionScope.CurrentUser))
Return protectedDatas
End Function
Public Shared Function Unprotect(ByVal str As String) As String
Dim protectedDatab As Byte() = Convert.FromBase64String(str)
Dim entropy As Byte() = Encoding.ASCII.GetBytes(Assembly.GetExecutingAssembly().FullName)
Dim data As String = Encoding.ASCII.GetString(protectedData.Unprotect(protectedDatab, entropy, DataProtectionScope.CurrentUser))
Return data
End Function
End Class
If DPAPI is very secure, then how are the passwords able to be decrypted easily ? We would also like to know how applications like Skype which use DPAPI protects its users' passwords, as we were not able to decrypt them.