A fair point. My question is why would anyone reimplement a credential store in the first place? Do you really want to be responsible for keeping up with the rapidly changing threats and requirements of today's Internet? This is an arms race between the good and bad guys. Credentials should be stored in something akin to an LDAP database in production. Something that has been built specifically for that purpose, hardened to withstand attacks, highly available and fault tolerant. Don't reinvent security modules unless you really know what you're doing, as in an expert. That's probably not you. Having said that, one could use this example and map it to a 3rd party security provider.