Credentials and their storage

We have a software technique project this term that implements a network based credential storage. Some other important articles:Keith Brown, A .Net Developers Guide to Windows Security:Understanding Protocol Transition (allow servers to impersonate clients without their passwords). Grid computing experts talk about "the year we lost control of the desktop" and they mean that the PC is no place to store long running credentials. For an alternative using a proxy wallet (called "purse2 and some lightweight authentication protocol) see: Gridlogon, Purse. Registries are also supposed to keep passwords encrypted (LDAP) which causes subtle interoperability problems (see RACF security service on Z/OS and its interoperation with a LDAP front end registry (IBM redbook Websphere on Z/OS).

Web application servers introduce the concept of a "vault" to store user credentials. But most application servers still store their own passwords (needed for DB access etc.) in configuration file. This is not only a security problem: read Keys Botzums notes on how to update passwords in a complex web application infrastructure with Portals, DBs, servers etc. Meet the experts: Keys Botzum on Websphere security. If there ever was a reason not to use passwords anymore - this is it.