2

I have an outlook VBA script which needs to connect to an remote server. For this the user must enter his server-password. To avoid hitting this server-password every time I wand to securely save it in the registry.

I already found an article how to encrypt a string: Can I use DPAPI (or something like it) in VBA?

But you need a secretkey for the encryption. Is there something userspecific in windows that I can use? I doubt that I can read the windows-password of the logged-in user because this would be a security gap. But is it possible to get the hash of his windows-password? In this case I could encrypt the server-password with the hash of the windows-password and fulfill both requirements. No one other then the logged-in user can get the server-password and the user itself do not need to type it in every time.

If there is no possibility to get the hash of the windows-password maybe there is some other userspecific information in window which only the logged-in user can access.

Regards,

Community
  • 1
  • 1
Thomas
  • 36
  • 2

1 Answers1

0

In the meantime I found a solution. DPAPI also provide two functions called CryptProtectData and CryptUnprotectData. There you could encrypt the server-password without the need of another password for encryption.

You could not call this function from VBA but an example for implementation via DLL call could be get here: http://www.derkeiler.com/Newsgroups/microsoft.public.platformsdk.security/2005-04/0299.html

Details about this two function could be get here: https://support.microsoft.com/de-de/kb/309408/en-us#3

DPAPI helps protect confidential information by using value data derived from a pseudo-random 512-bit number named a master key….Because master keys contain the data that is required to decrypt all the user's confidential information, the master keys must be protected. They are protected using a value that is derived from the user's password. The password is a unique value that only a user knows

Thomas
  • 36
  • 2