How secure is ProtectedData.Protect (DPAPI)?

Question

Suppose someone gets access all of my hard disk, I guess the weak spot would be my windows password. Without knowing/being able to retrieve that, the data should be pretty m

Answer 1

See this article on DPAPI Security. Basically, it is as secure as your Windows password -- if your password is reset by an administrator, the decryption key will be lost. The major attack vectors you'll need to look at are:

• Password disclosure: "shoulder surfing", sticky notes, etc.
• Capture of the computer's accounts database and the use of a password cracker
• Online attack by "drive-by download", removable media AutoPlay, etc.
• Capture of a password reset disk, if you've made one
• Physical installation of a key-logging device or other "bug"