I just ran Network Password Recovery (http://www.nirsoft.net/utils/network_password_recovery.html) and it exposed ALL of my saved RDP passwords. I'm curious how to save my RDP credentials but protect them at the same time. Any tips (preferably free)? TIA.

Hello, It seems that "the password is encrypted and hashed with the SID (Security Identifier) of the Windows user account. So it’s reasonably safe since you need both the computer and the user account." To be confirmed. BR, Simon.http://blog.simaju.fr - Partage de connaissances et retour d'expriences.

I was thinking about a drive-by download running as my user. But I guess any solution would be vulnerable to this. Since the password ultimately has to be decrypted in order to send it to the remote machine for logging in. This is still scary to think about a rogue admin changing your password, logging in as you, running Network Password Recovery and getting ALL of your RDP passwords... Is there possibly a more secure way?

Ok, how can I explain this... If you suspect an admin might go "rogue" then that person doesn't need to be an admin. In an Active Directory environment, there is nothing I can do to prevent an admin from doing something. You MUST trust your admins. These passwords are secured with CryptoAPI just like everything else credential manager stores. Your password is ultimately what keeps these other passwords safe. If an admin changes your password and logs onto your computer as you, he has full access to everything you have access to. Period. The system doesn't know it isn't you... The only way to make this more secure is to move to a two-factor authentication model. So, if you required a smart card and a PIN, then physical access to the smart card would be required to get on the system...OH but wait!!! The admin can turn off this requirement. Get the point?

I see your point of hiring trustworthy admins but what about drive-by exploits? It would be nice if the passwords were stored asymetrically.

Why not put all your RDP files on an encrypted USB drive ? Why not store all of them in a compressed file protected by a password and stored in a encrypted partition ? http://blog.simaju.fr - Partage de connaissances et retour d'expriences.

Hi Customer, It's useful tool for password recovery when your forgot it. If you want to protect your credential, you could give client user rights, define its name as virus in AV software, deploy software restriction policies to disallow to run in Group Policy.Regards, Rick Tan

Hi Customer, It's useful tool for password recovery when your forgot it. If you want to protect your credential, you could give client user rights, define its name as virus in AV software, deploy software restriction policies to disallow to run in Group Policy. Regards, Rick Tan Hello Rick, Admins can revert all these things, no ? RDP files are still available with password "hashed" inside.http://blog.simaju.fr - Partage de connaissances et retour d'expriences.

I'm not sure I understand. What do you mean by "stored asymetrically"? If there is a better way to do it, I really want to hear about it. We use the one secret thing we have (the user's password) to encrypt the information. Is there something else that could be used to do this? Something that an administrator could not reverse?

I'm not sure I understand. What do you mean by "stored asymetrically"? If there is a better way to do it, I really want to hear about it. We use the one secret thing we have (the user's password) to encrypt the information. Is there something else that could be used to do this? Something that an administrator could not reverse? I'd like to hear if something else could be used also. I'm not a software developer nor a cryptologist but being able to decrypt passwords doesn't sound like the best way to me. Active Directory manages to store passwords in a non-recoverable fashion. Unix manages to store passwords encrypted. Websites store passwords in databases encrypted. At the very least credential manager should require a decent bruteforce attempt to defeat. I have since stopped saving my passwords for RDP sessions. It simply can't be used with today's internet. I do things like login with non-admin privileges then use RDP to login to remote boxes with admin privileges. Saving my password in this scenario is just one drive-by exploit away from compromising the entire network.

Your passwords are stored encrypted. They are not stored in plain text. The link to the software you mentioned even says: "This utility recovers all network passwords stored on your system for the current logged-on user. It can also recover the passwords stored in Credentials file of external drive, as long as you know the last log-on password. " If you really want to know how all of this works, and why your stuff IS SAFE then check this out: Windows Data Protection http://msdn.microsoft.com/en-us/library/ms995355 This discusses the Data Protection API (which is a part of cryptoapi that I mentioned earlier). On this site it says: "DPAPI is a password-based data protection service. It requires a password to provide protection. The drawback, of course, is that all protection provided by DPAPI rests on the password provided. This is offset by DPAPI using proven cryptographic routines, specifically the strong Triple-DES algorithm, and strong keys, which we'll cover in more detail later. Because DPAPI is focused on providing protection for users and requires a password to provide this protection, it logically uses the user's logon password for protection." Also: "Applications either pass plaintext data to DPAPI and receive an opaque protected data BLOB back, or pass the protected data BLOB to DPAPI and receive the plaintext data back." So that third party application you're referencing is likely using DPAPI to pass in your protected data (the stored passwords) and your user password so that DPAPI can spit out the plain text stuff (disclaimer: I don't have anything to do with this application so I don't actually know). Either way though, the key is your user password. If someone else has it then any passwords you are storing on your desktop are no longer safe no matter what we do! As a matter of fact, DPAPI doesn't even use your users's password so to speak. "DPAPI actually uses the user's logon credential. In a typical system, in which the user logs on with a password, the logon credential is simply a hash of the user's password" So to your point, a hash is used, just like in AD. What we cannot do is store your RDP credentials as a hash. Obviously if you wanted to store a password to ANYTHING, to have it entered automatically for you later, would necessitate storing the password, not a hash of the password. If you opened RDP and typed in the MD5 hash of your password it would fail as you would expect it to. Same with websites. Can you logon to your domain joined workstation with a password hash? No, because a hash of your passwords hash is a completely different hash. When you get a second, also check out this website (it's old, but still pretty relevant): 10 Immutable Laws of Security http://technet.microsoft.com/en-us/library/cc722487.aspx Pay special attention to law #1, #2, #3, and #7. Law #7: Encrypted data is only as secure as the decryption key In this case your decryption key is your password. I hope this helps. I just want you to realize the problem here isn't with Windows Security. We're doing everything we can to protect your data. If you decide to give it away though, there is nothing we can do about it. Installing an application from a developer you do not trust on your workstation is giving it away. Giving people you do not trust administrative rights to your desktop is giving it away. If instead you pointed to a vulnerability to DPAPI, then that's something we would need to fix! :)

I still think storing the passwords as a one-way hash would be better than the way it is now. Law #7 doesn't apply to one-way hash algorithms since there is no decryption key. I realize this idea doesn't sound possible (how will I authenticate without the true password?) but that's how a lot of things are in computer science until someone figures out a better way.