In my ASP.NET web application I need to save a password in a database. (Note that this is not a login password and a user providing such password is given a visible security warning.) I was thinking to provide some scrambling for the password before placing it into the database.
So I was thinking to do this:
byte[] bytesToSave_Scrambled =
System.Security.Cryptography.ProtectedData.Protect(
System.Text.Encoding.UTF8.GetBytes(password), null,
System.Security.Cryptography.DataProtectionScope.CurrentUser);
The issue is that according to this page, when I use DataProtectionScope.CurrentUser only that same user account will be able to decode it back. I can of course use DataProtectionScope.LocalMachine instead, but the documentation says that it is less secure.
So my question is, when my web app runs on a web server, does it run under the same Windows user account to ensure consistency of the scrambling method above?