I had written this answer earlier but then reconsidered, since I hadn’t heard of the DPAPI before. However, upon some further consideration, I’d like to offer the following opinion. The important preface here is that it all depends on your needs, though. Two conflicting possibilities come to mind:

1. You want to offer your user complete protection and encryption that the user can trust only she will be able to decrypt, no matter the circumstances.

2. You’re an enterprise IT manager and have all employees on a tight leash. You want them to encrypt business data as part of their workflow so that they cannot see each other’s data, but the admins can happily read everyone’s data.

If you’re in situation (2), then stop reading now and go with DPAPI, which is well suited to that case. If you prefer scenario (1), then read my original answer below.

That’s probably not a good idea. Here’s why:

The actual password will not be stored on the system (unless you have Windows 3.11 or something like that). Instead, only a hash of the password will be stored, and at login time the password that the user enters is hashed and compared to the stored hash.

So at best you could retrieve the stored hash from the system (if you have admin rights, say). However, if that’s the only datum you can go on, then any encryption key you make will be derived from that hash, rather than from the actual password. Thus anyone with access to the system could get to the stored hash, and from there derive the encryption key with relative ease.

In short, don’t. Ask the user for a dedicated, fresh password for your data and use it for only that.