Just because I just can't remember all those passwords for every site
I need to register for, I thought I'd try my hands on building a
windows exe in C# that I can safely store all that sensitive
information in. Obviously, just for fun, I'd like to try to make it as
secure as possible.

Here's what I thought of so far:

1. Upon startup no sensitive data is shown. User has to enter a pass-
phrase of at least 15 characters and a passcode (6 numbers). The pass-
phrase is then salt-hashed (using the passcode as salt) and compared
to the salt-hashed equivalent which is stored in a database (probably
just Access).

2. Once the user has logged in, the sensitive information is decrypted
(they are stored encrypted in the same database) using the entered
passphrase as key. User can now see this.

3. This means that no passwords or anything are stored in the actual
code which (presumably) makes this more safe should the exe be reverse-
engineered.

4. It also means that should some bad hacker person get a hold of my
database, they can't just change the pass-phrase in there and use the
application to get into my data, because the data is encrypted using
the old pass-phrase.

5. A logged in user should be able to change the pass-phrase and pass-
code, after which all the sensitive information is re-stored,
encrypted using the new pass-phrase.

My question is: how safe is this? Where are the gaping holes in this
logic? What kinds of attacks could get through this? Any suggestions
for improvement? I've found lots of information about securely storing
passwords in a web application. But not really very much about
executables.

PS: no comments about re-inventing the wheel - I'm sure there's lots
of great products out there that do all this and more - it's just a
pet project!

Cheers, Eva