Friday, July 2, 2010

Password storage location: Web browsers


Not all passwords are stored at same location. In general windows PC stores its password file under different location to where browsers stores there password file. Here lets talk about those locations and technical details that major browsers are storing their password files.

Google Chrome:

Google chrome browser stores the password in windows machine at [Windows Profile]\Local Settings\Application Data\Google\Chrome\User Data\Default\Web Data.
Google Chrome uses SQLite as the storage space for passwords and other web page related critical data's. Google done a appreciate work by extracting windows specifif code from the cross-platform stuff. The only Windows specific code here is the encryption function, which can easily be ported by creating a different Encryptor object for each OS. The important piece here is CryptProtectData, which is a Windows API function for encrypting data. Data encrypted with this function is pretty solid. It can only be decrypted on the same machine and by the same user that encrypted it in the first place

Mozilla Firefox

The passwords are stored in one of the following filenames: signons.txt, signons2.txt, and signons3.txt (depends on Firefox version) These password files are located inside the profile folder of Firefox, in [Windows Profile]\Application Data\Mozilla\Firefox\Profiles\[Profile Name] Also, key3.db, located in the same folder, is used for encryption/decription of the passwords.
Firefox is much better than Internet Explorer in terms of managing “remembered” logins. In Internet Explorer, there is no built-in feature where you can manage or view your saved login information. That’s why you need third party tools to reveal the passwords hidden under asterisks. As for Firefox, you can access remembered passwords with a few clicks.
To view your remembered passwords in Firefox browser, go to Tools, and click on Options. Go to Security tab and click on the Show Passwords button. A remember password dialog box will appear. Click on the Show Passwords button again and a new column with password will appear.
Upon clicking the saved password location (tools-options-security-saved passwords), you won’t need any tools to reveal the hidden passwords under asterisks. It’s a feature that’s included in Firefox browser. So any one who has access to your work station can typically spy into your password by going around to security tab in the options location.
One useful tool that worth sharing about Firefox browser password management  is "Firepassword" . FirePassword is the console tool designed to decrypt the username and password list from Firefox sign-on database. Firefox records the login details such as username and password for every website authorized by the user and stores them in the sign-on database file in encrypted format.  It works on similar line as Firefox’s built-in password manager but it can be used as offline tool to get the username/password information without running the Firefox. It is DOS based and the manual says that FirePassword requires only 3 files which is key3.db, cert8.db and signons.txt. This 3 files can be found in Firefox profile directory.
All you need to do is to place the 3 files together with FirePassword and run FirePassword.exe. Weirdly, I am able to decrypt all my username and password by copying ONLY the signons.txt file. Looks like it’s not necessary to include the other 2 files.
For detailed technical explanation click here

Internet Explorer > 7.0 (Updated version 6.0):

  • Auto complete passwords are stored under Registry under HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\IntelliForms\Storage2.
  • Documents and Settings\Application Data\Microsoft\Credentials is the credential file location used to save  HTTP authentication passwords
An automatic tool that used to retrieve IE password is IE PassView can be used to recover these passwords

Opera:

The passwords are stored in wand.dat filename, located under [Windows Profile]\Application Data\Opera\Opera\profile

Safari:

Safari stores password data via Keychain. /Applications/Utilities/Keychain Access (on Mac)
On PC, All that data is stored in plist files at: C:\Documents and Settings\(UserName)\Application Data\Apple Computer\Safari
I believe it is FormValues.plist

ThunderBird:

The password file is located under [Windows Profile]\Application Data\Thunderbird\Profiles\[Profile Name] You should search a filename with .s extension.

Google Talk:

All account settings, including the encrypted passwords, are stored in the Registry under HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts\[Account Name]

MSN Messenger version 7.x:

The passwords are stored under HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL\Creds\[Account Name]

Windows Live Messenger version 8.x/9.x:

The passwords are stored in the Credentials file, with entry name begins with "WindowsLive:name=". These passwords can be recovered by both Network Password Recovery and MessenPass utilities.

Yahoo Messenger 7.5 or later:

The password is stored in the Registry, under HKEY_CURRENT_USER\Software\Yahoo\Pager - "ETS" value. The value stored in "ETS" value cannot be recovered back to the original password