Brainfoldb4u's Blog

Just another WordPress.com weblog

Archive for March 16th, 2010

Where do popular browsers and Chat applications store their passwords

Posted by brainfoldb4u on March 16, 2010

I got this question raised in an interview with Google “Where do browsers and popular messengers store their password” I kind of wondering for an answer to this questions. After some search i found answers for those question which i thought of sharing it with you all.

Fact is major browsers and applications tend to store the password in a way to hide/prevent you from altering it. Even by knowing the location its hard to move it from one machine to another.

Google Chrome:

Google chrome browser stores the password in windows machine at [Windows Profile]\Local Settings\Application Data\Google\Chrome\User Data\Default\Web Data.

Google Chrome uses SQLite as the storage space for passwords and other web page related critical data’s. Google done a appreciate work by extracting windows specifif code from the cross-platform stuff. The only Windows specific code here is the encryption function, which can easily be ported by creating a different Encryptor object for each OS. The important piece here is CryptProtectData, which is a Windows API function for encrypting data. Data encrypted with this function is pretty solid. It can only be decrypted on the same machine and by the same user that encrypted it in the first place

For more technical explanation click here :  how Google chrome stores password

Mozilla Firefox

The passwords are stored in one of the following filenames: signons.txt, signons2.txt, and signons3.txt (depends on Firefox version) These password files are located inside the profile folder of Firefox, in [Windows Profile]\Application Data\Mozilla\Firefox\Profiles\[Profile Name] Also, key3.db, located in the same folder, is used for encryption/decription of the passwords.

Firefox is much better than Internet Explorer in terms of managing “remembered” logins. In Internet Explorer, there is no built-in feature where you can manage or view your saved login information. That’s why you need third party tools to reveal the passwords hidden under asterisks. As for Firefox, you can access remembered passwords with a few clicks.

To view your remembered passwords in Firefox browser, go to Tools, and click on Options. Go to Security tab and click on the Show Passwords button. A remember password dialog box will appear. Click on the Show Passwords button again and a new column with password will appear.

Upon clicking the saved password location (tools-options-security-saved passwords), you won’t need any tools to reveal the hidden passwords under asterisks. It’s a feature that’s included in Firefox browser. So any one who has access to your work station can typically spy into your password by going around to security tab in the options location.
One useful tool that worth sharing about Firefox browser password management  is “Firepassword” . FirePassword is the console tool designed to decrypt the username and password list from Firefox sign-on database. Firefox records the login details such as username and password for every website authorized by the user and stores them in the sign-on database file in encrypted format.  It works on similar line as Firefox’s built-in password manager but it can be used as offline tool to get the username/password information without running the Firefox. It is DOS based and the manual says that FirePassword requires only 3 files which is key3.db, cert8.db and signons.txt. This 3 files can be found in Firefox profile directory.

All you need to do is place the 3 files together with FirePassword and run FirePassword.exe. Weirdly, I am able to decrypt all my username and password by copying ONLY the signons.txt file. Looks like it’s not necessary to include the other 2 files.

For detailed technical explanation click here

Internet Explorer > 7.0 (hope you all have updated from version 6.0):

  • Auto complete passwords are stored under Registry under HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\IntelliForms\Storage2.
  • Documents and Settings\Application Data\Microsoft\Credentials is the credential file location used to save  HTTP authentication passwords

An automatic tool that used to retrieve IE password is IE PassView can be used to recover these passwords

Opera: The passwords are stored in wand.dat filename, located under [Windows Profile]\Application Data\Opera\Opera\profile

Safari: Safari stores password data via Keychain. /Applications/Utilities/Keychain Access (on Mac)

On PC, All that data is stored in plist files at: C:\Documents and Settings\(UserName)\Application Data\Apple Computer\Safari

I believe it is FormValues.plist

ThunderBird: The password file is located under [Windows Profile]\Application Data\Thunderbird\Profiles\[Profile Name] You should search a filename with .s extension.

Google Talk: All account settings, including the encrypted passwords, are stored in the Registry under HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts\[Account Name]

MSN Messenger version 7.x: The passwords are stored under HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL\Creds\[Account Name]

Windows Live Messenger version 8.x/9.x: The passwords are stored in the Credentials file, with entry name begins with “WindowsLive:name=”. These passwords can be recovered by both Network Password Recovery and MessenPass utilities.

Yahoo Messenger 7.5 or later: The password is stored in the Registry, under HKEY_CURRENT_USER\Software\Yahoo\Pager – “ETS” value. The value stored in “ETS” value cannot be recovered back to the original password

Posted in Auditing, Browser Security, Google, Security tools, vulnerability assessment | Tagged: | 1 Comment »