Where to save program password securely?

Saving a password in the registry is really not a good idea. If your application is using a database the user credentials should be hashed and stored in the DB.

If you are not using a database you could store the password in the application's config file and then encrypt the relevant part of the config file.

If you insist on using the registry you could try to name the key something other than password, encrypt the actual password value and store that.
Creating a registry entry which seems like it belongs with the application should fool most users, but this is truly not a good approach.

My application is not using any database. Same problem will arise if I use config files to store password. If config file is deleted or application is reinstalled, old password will be lost.
I am currently storing hashed password in registry, but there are some registry monitoring tools available which can track exact location of registry key used by application.
Check out my application and let me know how to overcome this problem. Google search with "secure folder 2.1 subin ninan" to get my application.

Thanks for your reply.. :)

Encapsulate this password on a file inside system32 folder with a very scary name like winsjtd.onr (lol) better then read from registry.

:) thanks for your reply.
This will result in an IOException in windows vista & windows 7. (lol)
I tried this trick before i come to know about registry. Have a look at nirsoft.com. Lots of amazing tools are there like regfromapp & filefromapp which monitors registry keys & files accessed by application.
How does professional softwares stores password?

I think the issue is not the way you save the file (database or file) is the way you manage the login. Do you save data in your application?

Problem in this case in not where or how password is stored but the way application behaves when password is not found.

Application checks for password, if password is found it shows "login" form. If password is not found(first time execution), it shows "set password" form.
Problem is when someone deletes file/registry key where password was stored, in this case application again shows "set password" form.

I can't figure out how to add login functionality in my application.

Need help regarding STEPS INVOLVED in setting password and authenticating user.

Unfortunately, there is no good way around your problem. If you store the password on the local machine then the user can find a way to delete your file or registry entry no matter what. Using obscure registry keys or a random file in a random directory makes it less likely that someone will delete the file on purpose. If it is a user like me, it makes it more likely that I will delete the file because I think it is a random file or key in my registry that a sloppy program left behind, and I despise those.

There are probably very robust ways to do this, but you could link the password to the data. You could do something like hash the user's password with a private, randomly generated, fixed-length key and store the result in a file. In order to access the system the user must provide the matching password. The key that was hashed with the user's password is then used to decrypt/encrypt the data your program uses. As a final piece to the puzzle, if no password is found, you delete the data files for your program and force a fresh system.

This does a couple of things. First, you don't need random files or registry keys. You can actually keep the user's system clean because your security and system stability don't depend on chance. Second, if someone erases the password file, the data is destroyed. There is no way to bring the data back unless they back up the data and the password file and restore them both. Third, if a malicious user replaces the password file with one of their own they still have not defeated your system. The data still cannot be deciphered because they just threw away the key to decrypt the data. Finally, your hash algorithm is harder to decipher because the same password wont generate the same file twice (because you hash a random key with it).

If someone gets into your machine code and deciphers your hash algorithm, then you could be in trouble. I don't know how far you want to take this though.

Thanks for your help, how can I generate random key(salt) to hash password? In this case, I think both hashed password and key need to be saved on users system.
Can I use current user account name or IP address of system as key(salt) to hash password?
How does the application know if the password is deleted or it is executed for the first time(password not set)?
My application is a folder-lock type software, and user should not access locked folders by re-installing the application. So password file/registry key is not set/removed during installation.
I am totally confused!!