I'm working on a "run as" option for launching applications (and documents) under different credentials. I'm using the present tense, but it's actually completed for the upcoming version 0.9.5.
But I have a huge security concern about remembering the password between sessions. I'm currently enabling saving the provided password in the configuration file, using the
Data Protection API to encrypt it. The problem with this technique is that any process running with the same credentials as slimKEYS (any other user process) can decrypt that password, given they know what salt was used initially. A simple run of
reflector can show you that salt! And don't talk to me about obfuscation, that's just an extra door any talented developer can go through.
What do you expect an application to do if you tell it to remember your passwords? Is the aforementioned use of the Data Protection API enough for you? Do you have suggestions?
I do have one suggestion: The first time you launch an application using the "run as" option during a session, slimKEYS would ask you for a master password, which would be used as the salt. Subsequent launches would not ask for that master password, until slimKEYS is closed and restarted. How do you like that?
Another suggestion: slimKEYS does not remember passwords between sessions. Better?