Use Credential manager to cache credentials
Do not implement credential caching in your applications. Whenever possible, implement applications that use credential manager to cache their credentials rather than implementing credential caching in the application. This provides consistency and sharing of credentials, and allows the operating system service to leverage the best available method of credentials storage.
Beware of security risks of credential type CRED_TYPE_PLAINTEXT_PASSWORD
Plaintext credentials are the least secure and will put your sensitive information at the greatest risk. Avoid saving credentials of type CRED_TYPE_PLAINTEXT_PASSWORD. Consider using other alternatives such as saving a verifier or a hash of the password instead. If this credential is to be read only by privileged code, mark it with CRED_FLAG_TRUSTED during CredWrite. If this credential is rarely used, consider making user authentication a requirement by marking the credential with CRED_FLAG_SENSITIVE flag.
Use CRED_FLAG_TRUSTED when applicable
If a specific credential is to be read only by privileged code, use the CRED_FLAG_TRUSTED flag during CredWrite. Note that this protection applies only to the credential blob. Other information, such as target and username, will still be available to normal code. For this flag to be effective, your device must implement the 2-tier trust model.
Do not use CRED_FLAG_PERSIST if the credential should not persist in the registry
If you require that the credentials live only in memory, you should not use the CRED_FLAG_PERSIST flag. For more information about CRED_FLAG_PERSIST flag, see CRED structure.
Use proper flags to indicate exact target matches when using CredRead
In some cases, when you use CredRead to retrieve credentials, you may want to receive only an exact credential match to the target, and not the default or implicit default credential. Depending on the case, set dwFlags of CredRead to be either CRED_FLAG_NO_DEFAULT or CRED_FLAG_NO_IMPLICIT_DEFAULT. For more information, see Remarks section of CredRead.
Do not cache credentials
Do not cache credentials, especially the credential blob. Instead, store the type, target, and user information for the credential. When the credential is required, use CredRead to retrieve the credential blob information.
Implement user verification
You can protect sensitive credentials by requiring user verification before the credential is accessed. If user authentication is required before the application is reading a credential, use the CRED_FLAG_SENSITIVE flag with the CredWrite function. When you use the CredRead function; before the application is passing the credential blob to the caller; credential manager will call the VerifyUser function to authenticate the user.
For CRED_FLAG_SENSITIVE flag to be effective, your device must include the Local Authentication Subsystem (LASS) component.
Avoid collisions in credential types by specifying unique target names
Different applications may write credentials of the same type. If you are using credential manager as a private store of credentials specific to your application, make sure that you prepend an application-specific string to the credential target name, so that there is less chance of collision.
Clear credential data from memory after use
Do not leave credentials in memory after use. Clear all credential data from temporary storage after use by calling SecureZeroMemory.