Scott Hanselman

Saving and Retrieving Browser (and other) Passwords

August 9, '13 Comments [21] Posted in Tools
Sponsored By

The security balance is always user convenience vs. absolute security. You want security? Disconnect your computer from the internet. Don't save your passwords. Use multi-factor authentication. But that's not reasonable.

  • Browsers let you save the contents of Forms that you fill out, including passwords.
  • Some browsers sync those settings/histories/passwords to other computers with that browser running, if you are signed into a service with a master password.
  • Those passwords need to be stored somewhere locally, and they need to be retrieved by the browser (who is not running as administrator) so that the browser can fill out your form for you.
  • Someone writes code to retrieve those passwords.
  • If you, running as you, the user, can access those passwords, than other code running as you, the user, can also access them.

If you don't like this, don't save your passwords.

I think the concern (I know I was concerned) about the recent hubbub about browser security is the feeling of casual disclosure. It is uncomfortable when it seems easy to get your passwords. But they are still there.

Remember the 10 Immutable Laws of Security, specifically #3.

Law #3: If a bad guy has unrestricted physical access to your computer, it's not your computer anymore.

Every password vault has this behavior. If your passwords are stored locally, they may be encrypted but they are stored with reversal encryption.

Is this a security problem/bug/flaw? No. You saved your passwords as the user and they can be retrieved by code running as the user.

Here's some just a few lines of code to retrieve and dump your Windows Password Vault on Windows 8.

using System;

namespace DumpCredentials {
class Program {
static void DumpCredentials(Windows.Security.Credentials.PasswordCredential cred) {
Console.WriteLine("Resource: {0}", cred.Resource);
Console.WriteLine("UserName: {0}", cred.UserName);
Console.WriteLine("Password: {0}", cred.Password);
}
static void Main(string[] args) {
Windows.Security.Credentials.PasswordVault vault = new Windows.Security.Credentials.PasswordVault();
Console.WriteLine("{0}", vault.GetType());
foreach (var cred in vault.RetrieveAll()) {
cred.RetrievePassword();
DumpCredentials(cred);
}

}
}
}

Feel free to change your browser settings if you like to not save your passwords, or consider other password vaults like LastPass, KeePass, or 1Password.

Chrome

image

...and also...

image

Internet Explorer

image

FireFox

image

The code to dump Windows 8 Paswords is here. It will compile with VS2012 on Win 8. If you just want the EXE to run, download it here.

About Scott

Scott Hanselman is a former professor, former Chief Architect in finance, now speaker, consultant, father, diabetic, and Microsoft employee. He is a failed stand-up comic, a cornrower, and a book author.

facebook twitter subscribe
About   Newsletter
Sponsored By
Hosting By
Dedicated Windows Server Hosting by ORCS Web
Saturday, August 10, 2013 12:26:51 AM UTC
Small correction: it's KeePass.

I may be biased, but it seems to me that LassPass runs in the browser (urk) and 1Password is non-free (in both senses). Again, I don't want to start a flame war over password managers.

My $0.02
Saturday, August 10, 2013 12:46:50 AM UTC
I agree with what you said, but I think there are still levels of security. There's a difference between someone walking over to your computer when you're in bathroom and being able to casually lookup your password for your banking site versus a hacker having hours of access to your computer and being able to extract all your passwords.

I think I read the same article you did and I comment I heard quite often was 'all browsers do that'. I don't think that's the right approach - I think you could make a solid argument that all browsers are wrong in this regard. I think they should all enforce a master password at the very least.
Saturday, August 10, 2013 1:08:00 AM UTC
How do we know that exe won't email our passwords to you? ;)
John
Saturday, August 10, 2013 1:45:57 AM UTC
@John, two ways: (1) you can examine the source code for KeePass, Password Gorilla, Password Safe, KeePassX, or any other open source password manager. (2) You can monitor network traffic sent from any of these programs to remote servers.
Saturday, August 10, 2013 1:54:03 AM UTC
@Yawar, (1) John was talking about Scott's little bit of code, not KeePass (2) He was making a joke (note the smiley). Personally, I like LastPass. Having it run in the browser is a good thing IMO, I don't have to think about it, I just visit a site from my bookmarks and it fills in the form as soon as the page loads. Easy-peazy.
Craig
Saturday, August 10, 2013 2:19:57 AM UTC
Note that even if the plugin runs in the browser, that's a convenience feature - the passwords are still stored somewhere and the passwords MUST be stored using reversible encryption (the web sites need the passwords in plain text since they're just form entries).

That means they need to be kept somewhere where code running as the user can decrypt them.
Saturday, August 10, 2013 3:28:39 AM UTC
This is a great write-up. It would be wonderful if the W3 could develop a means to indicate to a browser that it would accept a crypted version of your password (using an encryption algo indicated in the markup). Then, your browser wouldn't have to store plain text passwords, and the folks who run such sites couldn't possibly have a plaintext version of your password stored on some sloppily secured SQL database.

Sure, it doesn't solve the problem that if the browser stores my password encrypted that another user can't insert that encrypted password into their browser and authenticate to that site. It would fix a little bit of the shared password problem though. If I used the same password for everything, they would all have different encrypted versions (remember the salt!) and wouldn't give that away.
Tristan Irwin
Saturday, August 10, 2013 6:35:40 AM UTC
That code would be even terser in PowerShell, and everyone would be able to just copy, paste and run -- no compiler required, just the console. This should do it:


$vault = new-object "Windows.Security.Credentials.PasswordVault" @()
Write-Host $vault.GetType()
$vault.RetrieveAll() | % { $_.RetrievePassword(); $_ } | format-list @(Resource, UserName, Password)


and the concluding pipe into format-list probably isn't necessary given the automatic formatting (warning -- untested since I'm not on a Win8 machine ATM)
Saturday, August 10, 2013 7:09:17 AM UTC
Nice post Scott. Thanks for sharing!!
Saturday, August 10, 2013 7:41:12 AM UTC
Nice post Scott,
However, not to be alarmist or sound like a paranoid psycho, but entrusting ALL my passwords to one "jackpot"? Isn't that even worse? I personally prefer all the recommendations you mentioned above as well as multi factor authentication so that even if my password is compromised I still have one more level of security.
It would also be nice to get an alert every time any of my accounts is accessed I get an email or some kind of alert (sms?).
I think we will all be more secure when security is reduced to having something (a phone, a chip, etc) or being somewhere in person (biometrics). This would be more convenient.
Concerns like this also show the advantage of curated appstores and application certification. because if our "trusted devices / systems" are compromised, what do we have left?
That said, I am not speaking from the perspective of having some thing to hide rather from that of someone trying to have some privacy and guaranteed safe uncorrupted storage of my digital life.
James
Saturday, August 10, 2013 8:46:00 PM UTC
Quick question if you don't mind: Will the code that you have provided run in a WinRT app? ie, could all those free download apps on the store be pulling the passwords of the users that grab a copy?

Cheers
Max Calvin
Saturday, August 10, 2013 10:51:31 PM UTC
It's all well and good saying that users should be aware of the ramifications of password management in browsers, but that doesn't excuse browser makers from the same set of responsibilities. A major issue with Chrome is that passwords can be retrieved so easily (it's just a config URL away) and they cannot even be protected by a master password. It's nothing short of incompetence on Google's part.
Dave R.
Sunday, August 11, 2013 11:36:13 AM UTC
Is there any way to retrieve and dump the current user's password in Windows 7? I couldn't find any API's in System.Security or System.Net.CredentialCache.DefaultCredentials in my console / windows app, to read the password. Thanks for any tips
Rahul M
Monday, August 12, 2013 8:56:02 PM UTC
One advantage of being able to see the passwords is the ability to enter that password in another device.

The last thing I want, if I have selected a complex password, is to have to click "forgot password" and then have to update it in every device I have entered it in.

What I would rather do is: click "Show" in my browser or password vault of my choice, see what the password is, then enter it in the new device.

I'm sure it is exciting to get riled up about how "unsecure" everyone else is. In my case, this is much better for my security than if I used the same password everywhere or had to change it everywhere each time I forgot it and needed to enter it in a new program or device.

My security measure is to always lock the browser whenever I leave my machine. I even do this at home. If you want to use my machine, you will need to use your own credentials to do it.

Tuesday, August 13, 2013 1:44:51 PM UTC
It's not bad guys that are the concern (to me) with browsers making it so easy, it's non-technical friends you have around who might grab a password for a laugh. Sure if I'm logged in to a social network they can post something for fun, but it's just too easy for them to sneak a look at the password to go and post something later on.
David
Tuesday, August 13, 2013 2:48:13 PM UTC
And this is why I only save passwords in firefox using a master password.
Tuesday, August 13, 2013 4:07:22 PM UTC
Another vault, Password Safe. You can put your safe file on Dropbox and access your passwords anywhere.
David
Tuesday, August 13, 2013 11:00:50 PM UTC
This article and several of the comments point out the shortcomings of having computer software conveniently managing your passwords. One alternative method is to employ one or more algorithms to consistently reproduce passwords by employing the user's incumbent simian cognitive system. Several potentially-useful ideas for password generation via this hardware are documented here:

http://www.wikihow.com/Create-a-Password-You-Can-Remember

Combine one or more methods like these which incorporate some data specific to a given web site and you can consistently re-generate strong and unique passwords, as needed. There is of course a vulnerability to spearphishing if a sufficient number of passwords become compromised for the attacker to reconstruct your mental algorithm.

-danny
Monday, August 19, 2013 8:14:14 AM UTC
My Windows.Security.Credentials.PasswordVault is empty (when I run the executable or step through the code) - which I'm surprised by. What sort of passwords would you expect to be in here?
Tuesday, August 20, 2013 11:23:33 AM UTC
I don't think it is a good practice for saving password. suppose if i am out of my office for half an hour, mean time if other users working on my system then other user can easily access my all confidential sites password whether it is banking sites.
if I use LastPass, KeePass, or 1Password etc, How can I ensure my security?.

Friday, August 23, 2013 9:23:16 AM UTC
If you're concerned about security, you should at least lock your system when you're not around. It's not rocket science; just press Win+L and your system is locked.

Some applications respond to Windows events notifying that you've locked your system or that someone else has logged on or connected to their session. RoboForm, for example, will lock your password vault when someone else has logged on or when you resume your system from stand-by or hibernate. TrueCrypt exposes similar behavior; it will dismount TrueCrypt volumes when the same events occur.
Erik Heemskerk
Comments are closed.

Disclaimer: The opinions expressed herein are my own personal opinions and do not represent my employer's view in any way.