How secure is the Windows Credential Manager?

The Windows Credential Manager is anything but secure. It's "secure" at the user account level, which means that any process that the user ever runs and the user themselves must necessarily be trusted in order to call this system "secure" with a straight face.

The only semi secure way of using the Windows Credential Manager is to store values pre-hashed, then verify those hashes. However, since any elevated process the user runs has full read/write capability on that user's credential store, it simply can't be trusted at all.

Lets think about "secure" in the sense of locking an application locally. Let's take the example of a content filter that locks the settings page to keep the kids from enabling adult content, using the Credential Manager to store custom credentials. The same user, trying to bypass this, can do so easily. A user can visit the Credential Manager in the Control Panel and, though the values show up in asterisks, (*****), they can simply erase the value and replace it. Delete your hash, put in their own they're in.

What's even sillier is that the Control Panel will show asterisks, but if you use code accessing the applicable APIs, you can get the values in plain text. So passwords are not safe, hashes and such you verify to lock something are not safe. It's not safe, it's a piece of garbage and I've struggled for a long time to understand its usefulness, except for Microsoft to apparently have plain text copies of all of your passwords they can sell to the NSA.

Note
I realize there are measures you can take to encrypt contents before storing them, hashing them correctly etc, but my criticism still applies because doing these additional things is creating security, not the Windows Credential Manager. My problem with the Windows Credential Manager is that it advertises that using it through its provided GUI and or API is secure.


I heard that it's quite easy for someone to access these credentials once they've gained access to your computer, is it so?

It is not so.

Passwords stored in your credential vault are (ultimately) encrypted with your Windows password. In order to access the encrypted credentials, they need to know your password.

  • if someone knows your LastPass password, they can access your stored encrypted passwords
  • if someone knows your Windows password, they can access your stored encrypted passwords

But if someone has gained access to your computer:

  • they cannot access your LastPass passwords (because they're encrypted)
  • they cannot access your Vault passwords (because they're encrypted)

Bonus Reading

Technical details inside the Data Protection API