About Windows 95 Password Providers

Microsoft® Windows™ 95 introduces the idea of password providers. A password provider is a DLL that manages the changing of one or more passwords for a resource or a function.

The advantages of writing a password provider include:

A password is considered to be stored either locally or remotely. An example of a locally stored password is the Windows screen saver password; an example of remotely stored password is the Windows NT domain password. A remotely stored password is considered secure, while a locally stored password is not. Even an encrypted password is not very secure if it's stored locally because most common forms of encryption can be easily broken. Password providers need to identify their passwords as being stored locally or remotely through the PPGetPasswordStatus SPI.

A password is considered to be synchronized or not synchronized with the Windows password (if there is a Windows password). This is based on the user's selection in the Passwords Control Panel and the state can be determined by calling PwdGetPasswordStatus.

When the user changes a password through the Passwords Control Panel or common dialog box, the password provider is typically notified through the PPChangePassword SPI. The password provider is deliberately not notified in the following case, however: if the password is stored locally, and the password is synchronized with the Windows password. When verifying a typed password, the component that does password validation for a local password needs to call PwdGetPasswordStatus to determine whether the password is synchronized with the Windows password. If it is, the component should call WNetVerifyPassword with the typed password, which will determine if the user typed the Windows password. If the password is not synchronized with the Windows password, the component should compare the typed password with the password it stored locally when last notified by PPChangePassword.