I'm writing a piece of software which will have to store a users password to allow authentication with a 3rd Party service. Unfortunately, this service currently requires the use of a password rather than some other method. A key feature/advantage of this software will be the elimination of a sign-in prompt (after the first authentication), and so it's imperative that we store the password.
I intend to use the .NET ProtectedData class for this operation.
I'm essentially asking - is this acceptable in 2015? Is there a better and more secure method of storing this data?
Further detail as requested: The software is client side, designed to run in the users context on Windows desktops. These machines are generally going to be "managed" machines (I.e., under the control of an IT department), but I'm building on the presumption that this software could be installed on any client, by any user.
Therefore, I essentially need to presume that at any point a machine could be lost/stolen. That said, if a users account is compromised then that's already more damaging than a potential compromise of this password.
Aucun commentaire:
Enregistrer un commentaire