Windows 7: Exploring Credential Manager and Windows Vault

Advertisement (Why?)

Last week, our friends Paul Thurrott and Rafael Rivera explored one of the untold mysteries (according to them) of Windows 7 - Windows Vault

I have been using this feature for quite some time since the beta release, even before Paul and Rafael might have discovered it. Let me explain what this Windows Vault is and how to use it. Before that, let us take a minute to read what Microsoft had replied Mary-Jo Foley regarding Windows Vault

"Windows 7 includes a feature called ‘credential manager.' This is similar to technology in past versions of Windows in that it stores your frequently used passwords so you can easily access and manage; however, in Windows 7 we've added the ability to back up or restore this information. The default storage vault for the credential manager information is the ‘Windows Vault.'"

As Microsoft says, the Windows Vault stores user credentials for servers, wesbites and other programs that Windows can log in the users automatically. At first instance, this might look like now users can store their Facebook credentials, twitter credentials, gmail credentials etc., so that they automatically log in via browsers. But it is not so.

Windows Vault stores credentials that Windows can log in the users automatically, which means that any Windows application that needs credentials to access a resource (server or a website) can make use of this Credential Manager & Windows Vault and use the credentials supplied instead of users entering the username and password all the time.

Unless the applications interact with Credential Manager, I dont think it is possible for them to use the credentials for a given resource. So, if your application wants to make use of the vault, it should somehow communicate with the credential manager and request the credentials for that resource from the default storage vault.

Let us take an application for example: Google Talk

Google Talk does not use (Windows) Credential Manager to store or retrieve user credentials. Below are the steps if Google Talk wants to make use of the (Windows) Credential Manager

1) Google Talk requests the Credential Manager with the resource
2) Credential Manager looks into its default vault for the appropriate credentials(for that resource)
3) If there is any credential associated, the vault returns it to the Credential Manager
4) Credential Manager returns it back to Google Talk
5) Google Talk signs in with the returned credentials

I have seen few Microsoft applications making use of this feature already in Windows 7

Windows Live Messenger
Microsoft Word 2007
Microsoft Outlook 2007
Windows Explorer(when accessing network resources)

You have to remember that all these applications are accessing a resource using the Credential Manager, which can be a website or a server. In my case, I accessed my company resource through Microsoft Word which required username and password. When I stored my credentials for my company resource (usually the URL endpoint), Microsoft Word picked it up and prompted me with the username and password boxes filled in with those credentials!

Similarly, I added my network computer and the proper credentials to access it into the vault and Windows Explorer picked it up whenever I connected to that network computer! And similarly, when I accessed other network resources with credentials, Windows Explorer added those to the vault.

Since Windows Vault stores your credentials, you as a user should be able to access your vault and manage all of your credentials.

You can also backup and restore your vault, which is quite handy.

After this, Windows switches to a secure desktop where you could provide a password for your backup. You will be prompted for the password when you restore this vault in the other computer. The backup and restore feature worked really well for me.

Adding Credentials to the Vault

Most of the time its going to be Windows applications that interact with the Credential Manager and not the user. However, if you do want to manage your credentials, you are allowed to do so.

Let us take an example of adding a Windows Credentials. I am going to add credentials to connect to one of my network PC - GALAXY. Initially, the credentials without being in the vault, when I connect to my PC, I get this prompt

Let us add the credentials

Notice that I am writing my PC Name as my resource. After adding the credentials, I can see it in my vault

Here is the prompt I get now whenever I connect to my network PC - GALAXY

It remembers the credentials once I choose the option to remember

I tried adding my company credentials and tested with Microsoft Word 2007 and Microsoft Outlook 2007 and they all worked perfect!

Whats missing?

Well, there is no documentation online by Microsoft mentioning the uses of this credential manager for Windows 7, but given the fact that Windows 7 is still in its beta stage, I couldn't complain. In my opinion, Microsoft will come out with some documentation once Windows 7 RC is released.

I have not tested adding a certificate-based credentials as I don't have any Windows applications that gets authenticated using a certificate. Currently in Windows 7 build 7000, I get this when I choose to add a certificate-based credential

But, in the Windows 7 build 7048, Microsoft has given a clue how this feature will be used. Below is what I get when I choose to add a certificate-based credential in Windows 7 build 7048

Now, thats interesting. Adding a certificate that is used with the smart card. Visit here to know more about enrolling for a smart card certificate. If you have a Smart Card Logon certificate (which provides authentication) or a Smart Card User certificate (which provides authentication plus other uses of the smart card cryptography, you can very well test this feature in the Windows 7 build 7048!

What about developers?

Searching MSDN, I found a sample - Credential Management with the .NET Framework 2.0. The sample application interacts with the Credential Manager and allows you to manage your credentials in the default vault. It worked perfectly in Windows 7 build 7000.

The Credential Manager is nothing new for Windows 7 and is present since Windows XP. The documentation is available in MSDN for quite a long time since Windows XP.

May be next time Rafael and Paul should consider digging more into the feature before concluding that its something new to Windows 7 and undocumented by Microsoft. Windows applications, especially Microsoft products, make use of this Credential Manager a lot.

Credential Manager & Windows Vault are nothing new and have just got a new shiny user interface in Windows 7

#1 superkid on 07 Mar 2009 - 14:17

Looks good i like how you can backup your passwords and data though, thats awesome.

#2 FaiKee on 07 Mar 2009 - 14:22

That's a good one, I always wanted to clean up the damn cookies but then I need to enter logon afresh afterwards lol.

#3 TsarNikky on 07 Mar 2009 - 14:33

Perhaps the feature was so well hidden in the past, that for all intents and purposes it did not exist. This situation is happening with increased frequently as Operating Systems and applications get more and more complicated. In essence, if a user can't find (or worse, can't figure out how to use) a feature then it does not exist. That may have been the situation with Messrs. Rafael and Paul.

#4 DOOOMKULTUS on 07 Mar 2009 - 14:51

I didn't get it.Dammit

#5 artfuldodga on 07 Mar 2009 - 16:55

a good and secure way to manage passwords for websites, the browser i assume wouldn't have to store your information at all? hope developers make use of it

#6 rakeshishere on 07 Mar 2009 - 17:08

Excellent 10 thumbs up. because its good to know that Office 2007 using some of features present in Windows 7. Now if only other 3rd programs started using Jumplist and other API and additonal features and give users some real hardcore functionality

(2 replies) #7 DrOmango on 07 Mar 2009 - 17:45

sooo, do i include full url or what? like for myspace, facebook, and alot of other websites that require password no matter how many times visited?

#7.1 +M2Ys4U on 07 Mar 2009 - 19:45

Your browser will have to have support for the credentials manager first.

#7.2 Chris-Gonzales on 08 Mar 2009 - 08:03

Any site that requires a log in. Also note it doesnt matter how much you visit the site, you could visit it 50 million times and the log in still wont be saved. its the cookies and stored information that keeps the passwords in check.

#8 McDave on 07 Mar 2009 - 17:45

In vista the credential manager can be found under User Accounts if anyone is intrested.

#9 Faisal Islam on 07 Mar 2009 - 18:06

great.

#10 Raikou Tch on 07 Mar 2009 - 18:24

This looks INCREDIBLY confusing/complicated. Maybe it isn't, but it seems like it takes a lot of work just to have it remember your password.

#11 sibot on 07 Mar 2009 - 20:37

I personally think its simpler than how complicated you've made it look like.

(9 replies) #12 nunjabusiness on 07 Mar 2009 - 20:48

So you knew about and have been using this feature for "quite some time ... even before Paul and Rafael might have discovered it?" I find it immensely entertaining that you feel the need to claim this, essentially indicating that you are more knowledgeable than two VERY noteworthy and famous Windows experts.

So, have you blogged or otherwise written publicly about it EVER before this article?

Didn't think so.

#12.1 sibot on 07 Mar 2009 - 21:17

yeah that comment was totally uncalled for. I'm actually surprised he's claiming something like that.

#12.2 Chaks on 07 Mar 2009 - 23:49

This particular feature has been there since Windows XP and is nothing new for Windows 7. If you see the comments in Rafael's post (linked in the article), there are people who say they have been using this feature.

#12.3 Marshalus on 08 Mar 2009 - 00:27

Just because Thurott or Rafael posted about it, didn't mean they discovered it. I'd seen it in Windows 7 for a while now, but never poked around in it. It's been sitting int he Control Panel of anyone who had Windows 7 installed waiting to be "discovered" ... it's not like they found Atlantis.

#12.4 CalumJR on 08 Mar 2009 - 03:34

@nunjabusiness -

What has that got to do with the content of the article? That is just an attack on the way the reporter has written this article.

There is no need for a comment like that - it does not provide any form of meaningful discussion about said article.

#12.5 Saarineames on 08 Mar 2009 - 03:35

What's the big deal? Chaks starts off letting you know he has experience using this feature, and is going to expound upon it while integrating outside information to the article as well. Yes, maybe the opening sentence could have been worded differently for the overly-critical, but I'm guessing anyone who took offense to that comment stopped reading right there because they found exactly what they were looking for: nitpicking ammo to post in the comments.

#12.6 nunjabusiness on 08 Mar 2009 - 12:20

Thank you sibot for not ENTIRELY missing my point. The author's statement ALSO had nothing whatsoever to do with the topic and added nothing to the article. I spent years as an editor at a newspaper and if a writer had brought that to me I would have struck the first sentence and reprimanded him for grandstanding.

#12.7 nunjabusiness on 08 Mar 2009 - 12:23

CalumJR said,

Your criticism applies perfectly to the subject of my post as well.

#12.8 CalumJR on 09 Mar 2009 - 05:29

nunjabusiness said,

Thank you sibot for not ENTIRELY missing my point. The author's statement ALSO had nothing whatsoever to do with the topic and added nothing to the article.

The reporter stated that Paul and Rafael are friends of Neowin and they are. They also both covered PDC with us. Therefore, they obviously won't mind this. Why would we insult our friends?

#12.9 Lowdown on 09 Mar 2009 - 14:47

This maybe considered an editorial nunjabusiness but if you want something professional like a newspaper I suggest you should, well go read a newspaper.

(6 replies) #13 kaborka on 07 Mar 2009 - 21:43

Even if the browser supported Credential Mgr, I would not trust my online banking logins to a MS product. I use KeePass for all my web logins and other passwords. One (long) master passphrase to remember, then ^U to open an URL, ^V to login. Simple and elegant, AES encryption, and I can leave copies of my vault on my various computers without worry.

#13.1 JonathanMarston on 07 Mar 2009 - 23:20

kaborka said,

Even if the browser supported Credential Mgr, I would not trust my online banking logins to a MS product. I use KeePass for all my web logins and other passwords.

Because we all know that a program written by some random guy on the Internet is always going to be more trustworthy than a Microsoft product...

#13.2 Nightkrawler on 08 Mar 2009 - 00:39

JonathanMarston said,

Im not using it (using "Keychain" in OSX which sounds awful like Windows Vault...- that's another story

) but KeePass is open source. So it is actually more trustworthy than a Microsoft product.

#13.3 +Vlad on 08 Mar 2009 - 02:53

KeePass is fantastic. It'll be a cold day in hell when I trust Microsoft with my passwords to anything important. I don't even trust them with my personal files anymore.

#13.4 Chaks on 08 Mar 2009 - 03:19

I am sorry, but I think you are getting it wrong. KeePass is different from this Credential Manager. Microosft products such as Microsoft Office do not use KeePass and they internally use Credential Manager to cache and persist the authentication, if user chooses to do so. And application developers too can make use of this and intergrate their apps with this credential manager.

I think it all comes down to choice. Like, I dont have any problem trusting Microsoft, but for some they would like to use some third party apps. But you wont be able to change if the application chooses to use the credential manager as the application is integrated with it already.

#13.5 Chris-Gonzales on 08 Mar 2009 - 08:14

Nightkrawler said,

So your saying microsoft is not trustworthy? that includes windows

#13.6 Nightkrawler on 08 Mar 2009 - 12:10

Chris-Gonzales said,

No that's not what i meant. I should have written "any closed source Software" not "a Microsoft Product". Im sorry if anyone misunderstand that - i was just referring to JonathanMarston comment.

My point was that an open source application can be more trustworthy than any closed source software. That doesn't necessarily mean that the app is more secure than an closed source app but the fact that the programmers also share the source-code shows that they really just want to play an open game here - they cant hide backdoors but they also cant hide security holes.

(1 reply) #14 Prince17 on 08 Mar 2009 - 07:34

Doesn't Mac use something similar called "Keychain Access" ?

#14.1 Chaks on 08 Mar 2009 - 07:51

Yep. Every OS has its own credential manager

#15 XerXis on 08 Mar 2009 - 10:37

So how does the sdk work? I see a checkbox "show passwords" does that mean any program can see the passwords of any credential they want?

#16 Examinus on 08 Mar 2009 - 11:20

Looks a bit complicated.

(2 replies) #17 Jugalator on 09 Mar 2009 - 08:37

Doh!

This feature is simply based on the credential manager in XP, with all its features and limitations.
So no, by far most apps, especially web apps, won't be able to use it as a password storage.

Here it is on Vista:
http://www.tomstricks.com/wp-content/uploa...credentials.jpg

Here it is on XP:
http://onnraves.com/wp-content/uploads/200...d-passwords.png

And what is this all about in THIS article:

???

Why do you post a story here on Neowin if you also flame it for not being news!? Why is this note not higher up?
Many will think this is a cool new Windows 7 feature now. :p

Last edited by Jugalator on 09 Mar 2009 - 08:44

#17.1 Chaks on 09 Mar 2009 - 10:08

We try to make it clear when some fail to do so. Thanks

#17.2 Calum on 09 Mar 2009 - 10:49

Jugalator said,

Why do you post a story here on Neowin if you also flame it for not being news!?

The reporter did not flame this and did not say it wasn't news. Please rethink such replies before you make rash comments.

The reporter simply said this feature was in Windows XP. It has gotten more exposure lately from many news outlets. It makes sense to highlight this on our front page.

#18 PrudentPanda on 02 Nov 2009 - 01:33

I never used automatic log in. It is not secure because my desktop can be accessed by anyone in my room. Just in case.. but it is still too risky.
free classified ads, jobs, bathroom vanities

Commenting has either been disabled on this article or you are not logged in. Click here to login or register, its free!

Note: Anonymous commenting is disabled in order to keep the quality of responses to a high standard.

Neowin.net