Scott Hanselman

Saving and Retrieving Browser (and other) Passwords

August 9, '13 Comments [21] Posted in Tools
Sponsored By

The security balance is always user convenience vs. absolute security. You want security? Disconnect your computer from the internet. Don't save your passwords. Use multi-factor authentication. But that's not reasonable.

  • Browsers let you save the contents of Forms that you fill out, including passwords.
  • Some browsers sync those settings/histories/passwords to other computers with that browser running, if you are signed into a service with a master password.
  • Those passwords need to be stored somewhere locally, and they need to be retrieved by the browser (who is not running as administrator) so that the browser can fill out your form for you.
  • Someone writes code to retrieve those passwords.
  • If you, running as you, the user, can access those passwords, than other code running as you, the user, can also access them.

If you don't like this, don't save your passwords.

I think the concern (I know I was concerned) about the recent hubbub about browser security is the feeling of casual disclosure. It is uncomfortable when it seems easy to get your passwords. But they are still there.

Remember the 10 Immutable Laws of Security, specifically #3.

Law #3: If a bad guy has unrestricted physical access to your computer, it's not your computer anymore.

Every password vault has this behavior. If your passwords are stored locally, they may be encrypted but they are stored with reversal encryption.

Is this a security problem/bug/flaw? No. You saved your passwords as the user and they can be retrieved by code running as the user.

Here's some just a few lines of code to retrieve and dump your Windows Password Vault on Windows 8.

using System;

namespace DumpCredentials {
class Program {
static void DumpCredentials(Windows.Security.Credentials.PasswordCredential cred) {
Console.WriteLine("Resource: {0}", cred.Resource);
Console.WriteLine("UserName: {0}", cred.UserName);
Console.WriteLine("Password: {0}", cred.Password);
static void Main(string[] args) {
Windows.Security.Credentials.PasswordVault vault = new Windows.Security.Credentials.PasswordVault();
Console.WriteLine("{0}", vault.GetType());
foreach (var cred in vault.RetrieveAll()) {


Feel free to change your browser settings if you like to not save your passwords, or consider other password vaults like LastPass, KeePass, or 1Password.



...and also...


Internet Explorer




The code to dump Windows 8 Paswords is here. It will compile with VS2012 on Win 8. If you just want the EXE to run, download it here.

About Scott

Scott Hanselman is a former professor, former Chief Architect in finance, now speaker, consultant, father, diabetic, and Microsoft employee. He is a failed stand-up comic, a cornrower, and a book author.

facebook twitter subscribe
About   Newsletter
Sponsored By
Hosting By
Dedicated Windows Server Hosting by SherWeb

Penny Pinching in the Cloud: When do Azure Websites make sense?

August 8, '13 Comments [72] Posted in Azure
Sponsored By

imageI had a great conversation on Twitter with Frans Bouma about pricing where he asked a number of questions that weren't easily answered in 140 characters. The pricing for these things isn't clear or easy. It's not clear or easy because it's complicated.

Frans is thinking about moving his product’s website over to Azure but he’s thinking it’s too expensive for his one website. Good question.

Here's my own Q&A about Azure Websites and Pricing. Folks are always emailing me with confusion so I'm writing it up. If you email me questions from now on (since I have only so many I'm going to point you here.

Disclaimer: This is written by me, not Marketing. I'm sure they'll be on the phone in a minute when they see this post. It doesn’t make it less true, though.

I wasn't an Azure fan until June of last year. I run all my sites on Azure except for this blog (which is at OrcsWeb where it's been for years).

Today, I have 13 websites and two VMs (one Linux and one Windows) running in Azure. 11 sites run in one VM instances with Azure Websites in the West US, and the other two are in different datacenters.

Q: I have a small website on a custom domain that I'm paying US$5 a month for at FooHost. Should I move to Azure?

A: Probably not. While you can get 10 free websites per data center (meaning, more than 10, technically) to play in Azure, if you want to point a custom domain at it you'll need at least one "shared" (multi-tenant, meaning you get a slice of a CPU) website. That's US$9.68 a month, running full time. If $9.68 is too rich for you, stick with your $5 host. However, you do get to use the same management tools and deployment subsystems even with just one shared site so it depends on what you find valuable. Free sites are great for development and test scenarios where you can experiment with new concepts before you start spending money.

If you’re trying to get by with the minimum for a few bucks a month, I don’t think it’s fair to compare Azure to a random $4.99 PHP host. You get command line management tools, lots of deployment choices, elastic scale in minutes whenever you want, etc.

Q: What if I am OK with $10 a month? What do I get with one shared site?

A: Whether it's 1 site or 500, all websites get Git deployment (and redeployment, also known as the "oh shit button") as well as deployment from Visual Studio and TFS. Everyone gets the same infrastructure and control panel.  You can also scale out to up to 6 shared instances if you need.

Each instance is a copy of your code running on a different shared server with its own quota of CPU and memory. We chose to limit the number of instances to 6 since having more than 6 instances ends up being more expensive than having one Standard server. You can have up to a 100 sites in Shared mode per data center, each site can have up to 6 instances.

Q: What about running my own VM and not using managed Websites?

A: If you know what you're doing, you can run your Website in a VM, but you need to setup IIS and manage it yourself. You need to keep the VM updated, and configure it however you want. But, you can get an extra small VM for $15 a month with 768MB RAM, which is nice. I run an instance of MySQL in one of these as well as PHP on Apache.


Q: When would I run a VM over a Website?

A. It comes down to what you want to manage. If you're cool with managing a VM and you want the flexibility, do that. If you want the OS and updates handled for you, as well as the deployment choices and scale out, use web sites.


Q: There's Free, Shared and Standard Websites. What's the difference?

A. Free means it's free, there's no uptime guarantee and you're low priority. I put demos and tests and dev on free stuff. I also run some services where it doesn't matter what the URL is because no one can see it. You can't use custom domains or SSL with free.

Shared means you're getting a slice of a computer and you're packed in with a lot of other folks on the shared plans. Most small websites (<20,000 PV) work just fine with shared.

Standard used to be called Reserved. You get your own VM and you can run ASP.NET, nodejs, PHP, etc (the same things you can run on Free and Standard). You can go from 1 core and 1.75G of RAM all the way up to 4 cores and 7G of RAM. I run all my sites in 1 standard small instance. Even with small I've got almost 2 gigs of ram and even though some of my sites (like Hanselminutes) do caching and may use 100-300 megs of RAM on a busy day, I've never had any issues.

If you need more than one server to run your sites you can scale out to 10 instances of your Standard server, if you need more than 10 server instances you can contact support services and they’ll work something out.

Here's the thing about clouds generally and Azure specifically. If you're not packing things densely you're not going to save money.

You can put up to 500 websites into a single instance using Azure Websites. That's not a typo. The more you put in the more value you get from your VM/standard instance.

Tip: Pack sites in tight. To be clear, if you are going to run more than 8 websites in Azure, you're a tool to not move into Standard/Reserved. It's just cheaper. Plus, if you have a bunch of sites in one Data Center (like, I had 10+ in West US) you want to put them all in the same VM. If you can keep serving traffic then effectively all sites you can put comfortably in your existing instance are "free." You're paying for the instance, use it.

Q. You're insane, what kind of sites could provide value and also be packed that tight?

A. There's lots of little sites, like my podcasts for example, that get a few tens of thousands or even hundreds of thousands hits a month. If you're working for a digital agency and putting together simple sites, you can start saving big money after about 6 to 8 sites.

Here's the Azure Pricing Calculator. In my opinion it's silly that it goes past 8 in Shared mode. Anything more than 8 shared sites is a waste of money.


You might look at this and thing, 8 for $77? That's real money and too rich for me. I'm going to stick with my $5 host. And you probably should if you can pack 8 sites onto that $5 machine.

However, things get cheap when you move to Standard mode. Once you have 1 standard website VM you can put lots of stuff on that one machine.


Again, each web site is all alone, isolated and separately deployable and manageable, but they share your 1 VM. But the value is that you never think about the management of the VM. It's always up to date, they're looking for malware, patching the OS, handling stuff. Web Sites sits above the VM and you use FTP, Git Deploy or MS Deploy to get your site there. You can run ASP.NET, PHP, node.js, Python, hell, Classic ASP if you want to.

You're paying for the compute time, 0.10/hr and you're being billed as it's running. If it runs all month long it's $74.40. I run all my sites inside this VM. It's actually a little large, and I could probably get away with an "Extra Small VM" if they would make one for Web Sites (the team is telling me that this is coming soon). Note that I am charged 0.10/hr even if my sites get no traffic, I am essentially paying for “renting” the CPU from Azure.

Q. When do I scale, and how?

A. I talk to customers a lot and most of the ones doing public sites always overstate their traffic. What they want is the ability to scale IF it becomes popular. You can scale UP (bigger instance) or scale OUT (more instances).

You can set you sites to auto-scale if you get on Hacker News or your startup becomes popular. Azure will add (and remove!) instances to make sure traffic gets handled. It will never go above or below the settings you choose.


This is a way to control costs. In this screenshot, I will never go above 3 instances, so my site can fall over if it gets slammed, but I decide how hard it tries to scale. I want to balance costs with availability. I could change this however I want from just 1 small VM to 10 large ones, so that's 1 core to 40, as I like.

Q: Are Azure Websites running all the time, 24/7?

A: If you have a standard VM with a bunch of websites in them, the VM is running all the time and you're paying for that VM. If one of the web sites isn't used for some large number of hours, it will be put to sleep, freeing up resources for other sites on the same VM. If you're worried about the web site not warming up quickly, you can use the build in Monitoring feature to not only ensure they are always up but that they are always warm.


Q: I’ve got an MSDN Subscription, what does that get me?

Link your MSDN and Azure accounts and you can get up to $150 a month in Azure credits, so up to two free VMs running all day for a month.

I've done a few posts on "Penny Pinching in the Cloud" that you may enjoy.

About Scott

Scott Hanselman is a former professor, former Chief Architect in finance, now speaker, consultant, father, diabetic, and Microsoft employee. He is a failed stand-up comic, a cornrower, and a book author.

facebook twitter subscribe
About   Newsletter
Sponsored By
Hosting By
Dedicated Windows Server Hosting by SherWeb

Review: The Blackberry Z10 - In the land of the blind, the one-eyed man is king

August 6, '13 Comments [39] Posted in Reviews
Sponsored By

imageI've been hating my iPhone lately and I've got a love-hate relationship with my Lumia 920 so my buddy at AT&T loaned me a Blackberry Z10 for a month to try out. This is the same buddy who loaned me an AT&T Unite Hotspot in May. These are loans, I don't keep them.

Imagine a world where there is no iPhone and there is no Android and there is no Windows Phone. In this world, the Blackberry rocks. Not just rocks, present-tense, but rocked, past tense.

I mean, seriously, the RIM 950 had an Intel 386 and 4MB of RAM. That thing ran for a week on a AA battery and changed my life. Blackberry connected me. That was truly innovative. Research in Motion changed mobile forever.

The Blackberry Z10 changes nothing. It pains to me to say this, truly it does. I'm sure that in some parallel universe Blackberry is on top and Mr. Spock has a beard. But on this planet, Mr. Spock has an iPhone (or probably a rooted iPad Mini that runs LCARS).


But, still, I ran with a Blackberry Z10 for a month and I tried, I really did. It's a lovely device, the Blackberry Z10, make no mistake. But, it's a Blackberry-iPhone. It's evil Spock, not Spock - a mirror if you will.


Don't we all appreciate the innovation in phone design that's happened since the introduction of the iPhone?


But is it a Blackberry? Kind of. It has BBM (BlackBerry Messenger) but that's where it ends. It actually feels more like the lovely HP TouchPad's webOS than like anything I've seen in the Blackberry universe. It's certainly more visually polished and consistent than any Android I've used, has more clarity and depth than a Windows Phone and is some how as fluid as an iPhone.

Moving Around

You can move in and out of apps within a grid of four running apps. It's similar to the row of thumbnails you see on iPhone iOS7 or Windows Phone, except in a grid. One nice touch is that some apps, like the NYTimes for example, can opt-in and draw a custom tiny thumbnail of their own. Apps that choose not to just show a standard thumbnail. This is a small but under-utilized touch that has potential if it takes off with developers.

You swipe left and right between the Blackberry Hub on the far left, the running task list, and the actual app launch takes up the remaining screens.

IMG_00000017IMG_00000018 IMG_00000008


The browser is excellent. It supports much of HTML5, CSS3 and Media Queries and modern sites like my blog and podcast site rendered great. It's not quite Mobile Safari but it's very close. Fonts render clear and clean and the 1280x720 screen is fantastic.

IMG_00000001 IMG_00000002 IMG_00000003

Your Information

The calendar has such potential, although the Month View is useless, as it is on literally ever smart phone I've ever used. It's all birthdays and wasted space. Week View tips over quickly as well once you start having anything that resembles a normal person's schedule.

IMG_00000011 IMG_00000012 IMG_00000014

Email and The Hub

The one differentiator that this Blackberry has is the omnipresent "Hub." It is always off to the side and accessible from any app. It's Email and Facebook and Twitter and Texting all in one.

IMG_00000015 IMG_00000009 IMG_00000010


  • Mini HDMI connection - I'm not sure I'd never use this, but I love that I have the chance. However with things like the Chromecast (and Miracast, AirPlay and Wi-Di) there's just no reason to have a physical connection to a large screen anymore. Or at least there soon won't be.
  • Feels great in your hand - It feels like an iPhone 5. It's weighty, but not heavy, firm and well built. Even though the back comes off (a plus, so you can swap batteries) it still feels tight.
  • Fast - It never lagged, swipes were recognized and responsive
  • Blackberry Hub - Everything (Twitter, SMS, Email, etc) is all in one place. Reminiscent of the Windows Phone People Hub, but more "swiss army knife" with all your messages in one giant list, my only complaint is that the swipe to access the Hub is not-intuitive. You swipe up from the bottom, then turn 90 degrees and keep swiping to the right, like a right-turn sign.
  • Browser - I was really impressed with the browser. It supports CSS3 media queries nicely and scrolls fast.


  • Smallish battery - I never made it a full day without having to charge. To be clear, my iPhone barely makes it past 2pm, but I somehow expected more from a Blackberry. This battery is only 1800mAh.
  • Small App Ecosystem - The Angry Birds, Twitters, and Facebooks are all here, but once you start digging it's clear that this is a paper dragon of an AppStore.

If you're #teamblackberry and you have #iphoneenvy then this is likely the phone for you. However, there's no compelling reason to switch if you already have a smart phone. If you're in the market for your first smart phone, I'd consider one of the top three phones, as I just don't see Blackberry winning. Still, it's an impressive first outing.

About Scott

Scott Hanselman is a former professor, former Chief Architect in finance, now speaker, consultant, father, diabetic, and Microsoft employee. He is a failed stand-up comic, a cornrower, and a book author.

facebook twitter subscribe
About   Newsletter
Sponsored By
Hosting By
Dedicated Windows Server Hosting by SherWeb

Add Social Sharing Links to your Blog without widget JavaScript

August 5, '13 Comments [13] Posted in Blogging
Sponsored By

This sharing button thing is out of controlI'm always trying to tidy up my blog layout and remove 'noise' but every time I try to remove those social sharing buttons for Twitter and Facebook I get a barrage of email asking me to put them back. Personally, I use bookmarklets in my browser for tweeting links, rather than relying on AddThis or ShareThis or any of the other garish sharing JavaScripts.

This sharing button thing is out of control. Links work too, folks. It's the web. Let's not have our blogs turn into Vegas Billboards.*

Twitter, Facebook and Google+ all offer JavaScript that they'd LOVE for you to add to your site. Tracking is one of the reasons that they'd love you to add these. That may or may not be a strong reason not to add their JavaScript, but a concrete reason not to is speed.

When you add three services' JavaScript you're adding three DNS lookups, three (or 20) HTTP requests for their JavaScript and images, and on and on. That JavaScript has to execute as well, of course, but the value it provides isn't justified over the speed and hassle involved in my opinion.

I wanted to add social sharing links without adding JavaScript. Fortunately all these services support sharing via simply visiting a URL. Stated differently, you can share via an HTTP GET.

Below, I'm adding "YOURURLHERE" in the places you'll want the URL for your blog post. You should change these templates for your own blog engineer. WordPress, BlogSpot, DasBlog, etc all have different macro formats. Your mileage may vary.

NOTE: Make sure you check that you have the right number of quotes and ampersands when adding these to your blog template.


Note that twitter's sharing format includes the URL, the Title and the "via" which is your twitter name.

<a href="">Twitter</a>


<a href="">Facebook</a>


<a href="">Google+</a>

You can share THIS post by clicking the links just below here on the same line as the Comments link.

Let me know about other social sites that support this kind of sharing in the comments, and I'll add your tips to this post.

* Yes, I know I have ads on this blog. It's taco money and it pays for the gadgets I review. It's hardly Vegas.

About Scott

Scott Hanselman is a former professor, former Chief Architect in finance, now speaker, consultant, father, diabetic, and Microsoft employee. He is a failed stand-up comic, a cornrower, and a book author.

facebook twitter subscribe
About   Newsletter
Sponsored By
Hosting By
Dedicated Windows Server Hosting by SherWeb

Hanselman's Newsletter of Wonderful Things: July 2nd, 2013

August 5, '13 Comments [3] Posted in Newsletter
Sponsored By

I have a "whenever I get around to doing it" Newsletter of Wonderful Things. Why a newsletter? I dunno. It seems more personal somehow. Fight me.

You can view all the previous newsletters here. You can sign up here to the Newsletter of Wonderful Thingsor just wait and get them some weeks later on the blog, which hopefully you have subscribed to. Email folks get it first!

Here's the newsletter that I sent out July 2nd.

Hi Interfriends,

Thanks again for signing up for this experiment. Here's some interesting things I've come upon this week. If you forwarded this (or if it was forwarded to you) a reminder: You can sign up at and the archive of all previous Newsletters is here.

Remember, you get the newsletter here first. This one will be posted to the blog as an archive in a few weeks. 

Scott Hanselman

(BTW, since you *love* email you can subscribe to my blog via email here: DO IT!)

P.P.S. You know you can forward this to your friends, right?

About Scott

Scott Hanselman is a former professor, former Chief Architect in finance, now speaker, consultant, father, diabetic, and Microsoft employee. He is a failed stand-up comic, a cornrower, and a book author.

facebook twitter subscribe
About   Newsletter
Sponsored By
Hosting By
Dedicated Windows Server Hosting by SherWeb

Disclaimer: The opinions expressed herein are my own personal opinions and do not represent my employer's view in any way.