本文讨论WinRT的PasswordVault编程接口。
在开始菜单里面打开Credential Manager,可以看到他有Web Credentials和Windows Credentials,两个功能。
WinRT提供的PasswordVault这个API可以用来操作Web Credentials。
下面是命令行的例子,看如何获取Web Credentials:
vaultcmd /listcreds:"Web Credentials" /all
Python/Winrt的例子,添加一个credential,并重新拉取并显示出来:
from winrt.windows.security.credentials import PasswordVault
from winrt.windows.security.credentials import PasswordCredential
cred = PasswordCredential("BreadStone", "AllWheat", "150gramsalt")
vault.add(cred)
for cred in allCreds:
cred.retrieve_password()
print(cred.user_name, cred.password, cred.resource) # AllWheat 150gramsalt BreadStone
在vaultcmd里面查看的结果是:
Credential schema: Windows Web Password Credential
Resource: BreadStone
Identity: AllWheat
Hidden: No
Roaming: Yes
值得注意的是,Web Credentials的安全性限限于UWP App这种权限受限的进程,其他任意一个普通的win32进程,都有可能用户所有的Credentials。
另外Windows Credentials是通过CredRead和CredWrite进行读写的,具体参考How do I store and retrieve credentials from the Windows Vault credential manager?。
其他参考
- PasswordVault security when used from Desktop app
- How secure is the Windows Credential Manager?
- Windows Data Protection
- Caching your GitHub password in Git
(完)