Which Encryption algorithm does ProtectedData use?

Question

For password encryption I want to use ProtectedData.

As far as I found out, this is a wrapper for CryptProtectData.

The MSDN only states something vague about encryption based on user credentials and that decryption usually must be done on the same machine, if user has no roaming profile.

Which encryption algorithm does it use?

Is there any analysis that states whether this encryption is suiting for password storage?

How else to implement a local password storage?

Answer 1

This MSDN article has more information about CryptProtectData and DPAPI, and should contain the information you need. In particular:

DPAPI initially generates a strong key called a MasterKey, which is protected by the user's password. DPAPI uses a standard cryptographic process called Password-Based Key Derivation, described in PKCS #5, to generate a key from the password. This password-derived key is then used with Triple-DES to encrypt the MasterKey, which is finally stored in the user's profile directory.

The article applies to an older version of Windows, so depending on your Windows version, these algorithms might change, but they are probably not going to be less secure than the ones mentioned here.

Whether or not this is suitable for "password storage", depends a bit on what exactly you mean by this and what passwords you're storing I would say.