This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(128, 21%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EIR%3C/text%3E%3C/svg%3E)
We are using DPAPI method to protect password for our application using the below code. We checked and found that other users were able to decrypt the password if elevated privileges were gained.
Imports System.Text
Imports System.Reflection
Imports System.Security.Cryptography
Public Class Form1
Private Sub Form1_Load(sender As System.Object, e As System.EventArgs) Handles MyBase.Load
'Dim b As String = Protect("Password@123")
'System.IO.File.AppendAllText("\\PC-NAME\D\1.txt", "start " & b & vbNewLine)
'MsgBox(b)
' MsgBox(Unprotect(b))
MsgBox(Unprotect("AQAAANCMnd8BFdERjHoAwE/Cl+sBAAAApnUIqLR6vkqzZqDYfVAOrQAAAAACAAAAAAAQZgAAAAEAACAAAADM2Pzu5Z/KjrjQtBzfXXu1YChtK1CMJCP98vFcvRxshwAAAAAOgAAAAAIAACAAAAB7DFmhHkBTe2OaCUUo34ey469wTHulPoe9yCQzNlFR9BAAAADLF/JyBrVjvDA+h0N93GymQAAAAHA2uT7YL8W9KRCqQmdaNKHFJPUmIaG56ufOggvFrRwK5Owto6+6yRDrUUn76Ipj/v3tsgpr3YK66yNhMC+ahWE="))
'System.IO.File.AppendAllText("\\PC-NAME\D\1.txt", "unprotected " & Unprotect(b) & vbNewLine)
End Sub
Public Shared Function Protect(ByVal str As String) As String
Dim entropy As Byte() = Encoding.ASCII.GetBytes(Assembly.GetExecutingAssembly().FullName)
Dim data As Byte() = Encoding.ASCII.GetBytes(str)
Dim protectedDatas As String = Convert.ToBase64String(ProtectedData.Protect(data, entropy, DataProtectionScope.CurrentUser))
Return protectedDatas
End Function
Public Shared Function Unprotect(ByVal str As String) As String
Dim protectedDatab As Byte() = Convert.FromBase64String(str)
Dim entropy As Byte() = Encoding.ASCII.GetBytes(Assembly.GetExecutingAssembly().FullName)
Dim data As String = Encoding.ASCII.GetString(protectedData.Unprotect(protectedDatab, entropy, DataProtectionScope.CurrentUser))
Return data
End Function
End Class
If DPAPI is very secure, then how are the passwords able to be decrypted easily ? We would also like to know how applications like Skype which use DPAPI protects its users' passwords, as we were not able to decrypt them.
I did not reproduce your problem using CryptProtectData and CryptUnprotectData in winapi.
Could you explain where DPAPI is used?
https://learn.microsoft.com/en-us/windows/win32/api/dpapi/nf-dpapi-cryptprotectdata
It has been a few days, Has your problem been solved? Or have any other questions?
I could not reproduce your issue. Data encrypted and written to a file by a standard user was not accessible to a different user account. It made no difference whether or not the other account was running with elevated privileges as Administrator.
In every case the attempt to decrypt the data threw an exception -
