C#: Best practice for obfuscating password in text file?

Question

Firefox has to store passwords. That is totally unsafe, but it has to do it, that's all.
My C# app has the same requirement (it is a kind of browser).

Rather than storing passwords in plaintext, Firefox obfuscates them a bit.
What is the best practice for this kind of obfuscation?

For instance, here is Firefox's strategy, if I understand well:

• Create a salt for the app's user
• For each password, use the salt in a symmetric transformation when storing/retrieving
• Store the passwords file in a directory named after the salt.

Is my understanding correct?
Is there any better strategy, or even a C# library for this?

Similar questions for other programming languages have unsatisfying answers, they don't not go as far as Firefox, just suggesting rot13 or base64, which makes it easy for automated malware to identify obfuscated passwords in unknown software. (just searching for the base64 value of common passwords)

Once again: it will not resist to any attacker, I know. But if Firefox cares I should too.

Answer 1

It would probably be easiest to use an encryption rather than obfuscating. Obfuscating code generally makes it harder for someone to identify what is what in code if they viewed the source. If you don't encrypt the information however, people can still figure it out.

My advice would be is to use AES-256 or Tripple DES-128 Encryption.

Easily, you could have the passwords stored in a text file and then encrypted. Only then through your browsers can the file be decrypted.

Answer 2

You should use the ProtectedData class to encrypt the passwords.

You can specify DataProtectionScope.CurrentUser to encrypt data using the current user's Windows login password, so that no other user can decrypt it (this also works if the user has no password)