OS X Keychain and Win XP Credential Manager

Somebody asked me today why Windows XP doesn't have something like Mac OS X's Keychain: a secure, systemwide store for names and passwords. And then I remembered, dimly, that it does -- sort of. When XP came out, all the feature lists mentioned Credential Manager, which uses the Windows Data Protection API (DPAPI) to do something that sounds just like what the OS X Keychain does. On XP, you get to the Credential Manager like so: Control Panel -> User Accounts -> Manage my Network Passwords.

It seems bizarre that I could have forgotten all about this. But then again, perhaps not. When I looked at the Stored Usernames and Passwords list, I found nothing there except for my Passport account. No FTP sites, websites, email accounts, or SSH accounts. Nor was I able to add such accounts using the GUI. Digging a bit deeper, I learned that Windows Server 2003's cmdkey can be transplanted to XP, where it can be used to list and add credentials. Using cmdkey I was able to add a Web account by specifying the "generic" type -- as opposed to the default, which is the domain. But IE still paid no attention. Its credential memory is apparently unrelated to Credential Manager. Who knew? Not me, anyway.

Next I went back to double-check the OS X situation. In Keychain Access, I found FTP sites, SSH accounts, and certificates, but no websites. How come? Oh, Firefox. I haven't used Safari in ages. Firefox evidently talks neither to Credential Manager on Windows nor to Keychain on OS X. But while Windows' native browser, IE, doesn't talk to the systemwide credential store, OS X's native browser, Safari, does. When I told Safari to remember credentials for a secure website, they showed up in Keychain Access. (Apparently Camino supports the Keychain too.)

Weird, eh? Some parting questions:

  1. Does IE really not use DPAPI to store non-Passport Internet credentials, and if not, why not?

  2. Will XP SP2 make any changes in this area?

  3. What would it take for a cross-platform app, say Firefox, to support both Credential Manager on Windows and Keychain on OS X?

  4. Do any existing apps do both?

Update: Ari Pernick spells out the situation, which is a bit complex. Briefly, WinInet uses DPAPI for NTLM/Kerberos, but uses PStore for basic and digest authentication. He writes:

Pstore doesn't do as good of a job of protecting credentials as the Data Protection and Credential Management APIs do and as the warning on the API documentation suggests, it is likely to change or go away in Longhorn. In that timeframe WinInet will switch to use the better APIs for those types of credentials. As for Udell's question #1, which asks why we don't use the better APIs to store basic and digest authentication, my best guess is that the credential manager wasn't really made to hold that type of credential well (you can't input them from the GUI UI). And to answer question #2, this hasn't changed in Windows XP SP2.

Even with the planned changes I referred to, you are still a far cry from centralized credential management that includes all web credentials. The credentials in the better store may still not show up in the GUI and forms based authentication is a completely different beast altogether. Sounds like a nice feature to integrate all of those in one GUI for a user, and maybe an IE or a security pm will hear the call and make it so, especially if the users ask for it. [Ari Pernick: WebTransports: Where to put the credentials?]
Thanks for clearing that up, Ari. I suspect that if more users thought about this issue, they'd be asking for the solution, but since they don't, they aren't. For what it's worth, I'm asking. Whether you are a home user or an enterprise user, you've got a boatload of Web credentials to manage. For something so basic, it seems nuts to have to rely on a non-integrated third-party solution -- Bruce Schneier's Password Safe, for example -- when the platform could support an integrated solution. Something this basic ought to be built in, as it is on the Mac. And "the Longhorn time frame" seems awfully remote. XP SP3, maybe?

Former URL: http://weblog.infoworld.com/udell/2004/06/24.html#a1028