Forgot your password?
typodupeerror
Internet Explorer Windows

New Tool Reveals Internet Passwords 140

Posted by CmdrTaco
from the change-early-change-often dept.
wiredmikey writes "A new password cracking tool released today instantly reveals cached passwords to websites in Microsoft Internet Explorer, and mailbox and identity passwords in all versions of Microsoft Outlook Express, Outlook, Windows Mail, and Windows Live Mail."
This discussion has been archived. No new comments can be posted.

New Tool Reveals Internet Passwords

Comments Filter:
  • by eldavojohn (898314) * <eldavojohn@@@gmail...com> on Thursday July 01, 2010 @09:18AM (#32755930) Journal
    This tool appears to just be a well written exploit targeting not just IE but a number of other Microsoft products. I assume it relies on the "Remember my password" functionality in order to get the password. If the browsers are caching passwords without your consent, they are worthless. I know of generalized tools that will do this for any site you remember a password for: IE PassView [nirsoft.net], Google Chrome Pass [nirsoft.net], Messanger Key for instant messengers [msgshit.com] and even Password Fox [nirsoft.net].

    When you click "remember my password" the browser stores it in a semi-obfuscated way. Yes, it encrypts it but it must also put the key it uses to encrypt your password on your hard drive somewhere. Since your browser is not also a rootkit, any application you run on your box can access everything your browser can write. Therefore you need only spend the time to figure out where the encryption key is being stored and what kind of encryption the browser is employing to encrypt your password. When your mail client or chat client are remembering your passwords, it's no different. We could have a lengthy debate about whether 'remember your password' should be allowed but apparently the majority of users are okay with it considering the convenience it grants them. If they use the same machine to surf malicious websites, this makes it easier for malware to steal the passwords than a complex keylogging system ... and I guess people who click "Remember this password" are just fine with that prospect.

    A few simple lines of code later and you too can write your own command line password discovery tool. Slap a seksi user interface on that and apparently you can sell it for $49.
    • by ShadowRangerRIT (1301549) on Thursday July 01, 2010 @09:26AM (#32756028)
      This is of course why Firefox (and I presume a few other browsers) have the option to protect your password cache with a master password. Instead of remembering every single user name and password, you can store them all behind encryption, but the key for this encryption is in your head, not the disk. Obviously still open to exploits if you're infected (pop up a fake window requesting the master password, hook the browser itself and read the keystrokes passed to it, etc.), but virtually any exploit that can grab the master password could grab the real passwords anyway, so the distinction is trivial. As long as your master password isn't "12345" of course.
      • by stonewallred (1465497) on Thursday July 01, 2010 @09:29AM (#32756082)
        WTF!!! How did you find out my master password??!!?!?!
      • by hedwards (940851)
        Yes, but it would be nice if they didn't default to saving form information and asking you if you want to save password on every single site.
        • Eh. Defaulting to a more usable but less secure state is standard practice for anyone that wants to sell software to consumer. If you care about it, it's trivial to fix:
          • Tools->Options->Privacy->Select "Use custom settings for history"->Uncheck "Remember Search and Form History"
          • Tools->Options->Security->Uncheck "Remember passwords for sites"

          My girlfriend does it first thing after installing Firefox on every machine she's ever owned (and she's not particularly computer savvy; she's a

      • by Cato (8296)

        You could also look at LastPass - http://lastpass.com/ [lastpass.com] - which works very well across Windows/Mac/Linux, Firefox, Chrome, Safari, etc, and on many mobile phones as well. Quite well designed and mature, and can be used offline though it's a browser addon, and syncs your password data to/from the cloud automatically, but also supports export to various formats if the cloud goes away. Now has a feature to manage non-browser passwords as well.

      • by bheerssen (534014)

        12345? That's amazing! I've got the same combination on my luggage...

      • by macshome (818789)
        Apple offers the Keychain APIs for secure storage of identity items as well.

        Using this a browser can store what it needs in a secure way. Access to each and every item is controlled by ACLs that you can tweak to your heart's content.
        • by wkcole (644783)

          Apple offers the Keychain APIs for secure storage of identity items as well. Using this a browser can store what it needs in a secure way. Access to each and every item is controlled by ACLs that you can tweak to your heart's content.

          And we all know that with the excellent security synergy between users and application developers, the result of having freely tweakable security settings that default to moderate strength inevitably tends towards most users finding their own optimal balance of security and convenience that never leaves anyone at significant risk.

          What, you haven't noticed that? I'm SHOCKED!

          Snark aside: YES, Apple provides a strong toolkit and default behaviors (in Safari and elsewhere) that set a reasonably secure norm

    • by Spad (470073)

      Which is why I like Seamonkey's ability to secure the password store with a password of its own so that you're not simply relying on security through obscurity.

      • Re: (Score:2, Informative)

        by natehoy (1608657)

        Except the first time you want to access the password store in each session, you present your password that "unlocks" the password store, then THAT password is persisted for the remainder of the session. So, either way, if you visit a malicious website the chances are your password store is in a vulnerable state (the password store is open for business, and the password is available somewhere). In both the Seamonkey/Firefox and Microsoft cases, the password store is vulnerable once it's logged in. The on

    • Re: (Score:3, Informative)

      by AlexiaDeath (1616055)
      msgshit.com - interesting domain name. Deliberate, it seems. 5pts. All your cached passwords are readable. They have to be to be used. Duh! Nobody caching their passwords should be surprised by that...
    • Re: (Score:2, Insightful)

      by Anonymous Coward

      Not to mention that for the open source browsers you can probably just look to see where it stores those keys. This is not a knock against the system, or even the approach, but just an observation.

      Assuming the tool is just using the associated "Remember my password" functionality, then this is a non-story and people could get it without the tool. Heck, in Firefox, and I believe Chrome, you can view your stored passwords in plain text using the built-in password manager.

    • by TheSpoom (715771)

      Firefox doesn't even attempt to hide it: Preferences -> Security -> Saved Passwords -> Show Passwords.

      • Re: (Score:3, Informative)

        by ehrichweiss (706417) *

        If you assign a master password that changes for you a bit; it won't show them without you entering the master password, twice IIRC.

    • Re: (Score:1, Interesting)

      by Anonymous Coward

      Perhaps this needs a rethink on filesystem security?

      I'm thinking a desktop OS wherein each application is assigned a directory/folder on installation, and is only able to access its own folder a per user generic 'documents' folder, and a per user, application specific configuration folder. There'd be some costs to that - developers would have to compile against APIs and libraries rather than importing them in from the system at runtime. This would make individual programs larger and increase maintenance req

      • On OS X, the keychain is stored encrypted. When you log in, the keychain daemon runs and, if your keychain password matches your login password, decrypts the store into RAM. Individual passwords can only be accessed by other apps via RPC to this daemon. This RPC uses Mach ports, which allow the process on the other end to be identified. Access to individual passwords must be specifically granted (on a one-off or permanent basis) to apps, although any app can access all passwords that it created. If the

    • I wanna see the Skeksi interface!

      The Dark Crystal (1982)
      http://www.imdb.com/title/tt0083791/plotsummary [imdb.com]

    • by Yvanhoe (564877)
      "remember my password" can be secured by a master password. Type it once in a session to be able to login to many website. Honestly, nowadays, with 20+ websites asking silly registrations, it is either that, or use the same login/password everywhere.
    • by shnull (1359843)
      dam' refinement of technology ... in meeehehey days, tools wudnt that darn complicated and specific, they just revealed all windows passwords ...
    • This is nothing new with Microsoft! People will hack their code at every opportunity and they know it. This gives them an excuse to release an even more secure program year after year! Am i the only one who thinks this? Mobile phone lasts 2 years max... why? because they want you to buy a new one! Windows gets so hacked and unusable within 2 years... again why? so they can bring out a new version.. just about every product on the market is like this because if not they have no repeat business which means no
  • by richy freeway (623503) * on Thursday July 01, 2010 @09:19AM (#32755936)
    None of this is new or amazing, I honestly can't believe something as basic as this would make front page news on /.

    Check out http://www.nirsoft.net/utils/#password_utils [nirsoft.net] for password recovery tools, for free, that have been available for ages.
    • by Xacid (560407)
      Or even Cain [www.oxid.it]
  • by jack2000 (1178961) on Thursday July 01, 2010 @09:20AM (#32755956)
    This isn't new by any foxnews stretch of the word.
  • How safe is OS X and its keychain tech?
    Is it also $49 safe? Thanks
    • Depends (Score:3, Interesting)

      by Sycraft-fu (314770)

      Anything that just stores passwords for automatic login, and doesn't require any user interaction, is not secure from something like this. Reason is if a program, like say Thunderbird, can get your e-mail password to hand off to the server, well then another program can too. It is stored in some easily reversible form. However, if the program itself needs a password to access the password store, then it should be secure provided a good password is used. The reason is that it uses that password to encrypt th

    • by kybred (795293)
      From Wikipedia Apple Keychain [wikipedia.org]

      The default keychain file is the login keychain, typically opened on login by the user's login password (although the password for this keychain can instead be different from a user’s login password, adding security at the expense of some convenience).

      ...

      The keychain file(s) stores a variety of data fields including a title, URL, notes and password. Only the password is encrypted and it is encrypted with Triple DES.

  • Title is Inaccurate (Score:5, Informative)

    by Cytlid (95255) on Thursday July 01, 2010 @09:21AM (#32755968)
    It should read "New Tool Reveals Windows Passwords".
    • by AHuxley (892839)
      Yes it seems if you use Linux or Mac, your MS web mail should be safe.
    • Oh god, I'm so relieved. For a moment I was afraid someone got the password to the internet!

      Actually, to be honest, when I first saw the headline, I thought to myself, "When asked to stop revealing people's passwords, the tool put his oakleys on, popped his collar, and then nah "Nah, bro," before walking away.
    • Windows passwords are stored using non-reversible encryption be default. For Vista and 7, they are stored only using the HTLMv2 hash by default, which is extremely secure. For XP passwords under 14 characters it does store the LM has as well by default, which can generally be cracked with only a little effort as it is not secure.

      What this tool does is reveal saved passwords in programs. That is not hard to do. Any password you save for a remote system must, by definition, be stored using some sort of revers

  • I am invincible, I use Chrome...
    • by wkeri11a (963528)
      LOL..nice but you're comment makes a good point - this little article mentions only IE. Does that mean browsers like Firefox (my choice), Chrome, Safari are immune. All of them have remember my password functionality but somehow does it better/different? I assume this since no one so far has written, "Sweet Jesus we're DOOMED!", that IE is the only exploited platform with this software?
      • by Spad (470073)

        No. Your saved browser passwords are only secure if the browser provides (properly implemented) password protection for the saved passwords.

        i.e. The passwords are encrypted with a key, which is encrypted with a password that the browser requires you to enter before it will allow access to your saved passwords.

  • Heh (Score:5, Interesting)

    by Pojut (1027544) on Thursday July 01, 2010 @09:22AM (#32755978) Homepage

    This reminds me of a tool I used back in the day called "Revelation". You loaded it up, clicked on the "target" icon, then clicked on a password field that was blocked with asterisks instead of displaying the password. The "hidden" password would appear in the "Revelation" box, allowing you to see what it was.

    This was how I discovered the password for our dial-up internet back when I was in middle school in the mid-90's. My mom entered the password, and usually waited until it connected...but one time she slipped up, and left before it connected. I hit "cancel", and sure enough the password was still there, just blocked by asterisks. Thanks to "Revelation", I got it and was able to log in during the middle of the night, chatting it up on Yahoo and working on my Angelfire web page.

    Ah, memories...

    • Re: (Score:2, Funny)

      by Anonymous Coward

      wtf? I almost have the exact same story...

    • by ninja59 (1029474)
      right, your Angelfire web site in the middle of the night. (a light fappish sound in background)
    • by 6Yankee (597075)

      My mother went for the low-tech solution to keeping my brother and I off the internet when she wasn't around - taking the power cord to the PC with her.

      Suffice to say, they don't call them kettle cords for nothing ;)

    • by hellop2 (1271166)
      You mean Snadboy's Revelation http://www.snadboy.com/
    • A pubescent youth gets the keys to the internet and he spends his time late at night....working on an Angelfire webpage?

      What kind of mutant alien monster are you??
      • Re: (Score:3, Informative)

        by Pojut (1027544)

        The kind who had found his step-dad's "collection", and didn't need crappy mid-90's Internet video for his fapping ;-)

    • by Thuktun (221615)

      This reminds me of a tool I used back in the day called "Revelation". You loaded it up, clicked on the "target" icon, then clicked on a password field that was blocked with asterisks instead of displaying the password. The "hidden" password would appear in the "Revelation" box, allowing you to see what it was.

      In that version of Windows, a password edit control just had a password style set on it and you could effectively disable that with some simple Windows API calls. Worse, you could just WM_GETTEXT and get the password out in plaintext without changing the style.

    • by glwtta (532858)
      working on my Angelfire web page

      That's an odd way to misspell "masturbating furiously".
    • Years ago I once lost the password for my dial-up internet, and it was easier to make a 'modem tap' to recover it than it was to dig into the binaries and extract the encrypted password from the dialup networking glop I used back then. I just soldered on a third 'listen only' tap connector on my modem cable and intercepted the password as it was sent out to the modem.

    • by b4dc0d3r (1268512)
      It's specific to versioned windows, you have to update the address of USER32.ValidateHwnd, and it probably does not work with ASLR type protection. But it worked with XP.
      <code>

      #include "stdafx.h"

      int ReadOtherProcess (HWND hwnd, void *address, void *buf, unsigned len)
      {
      unsigned long pid;
      HANDLE process;

      GetWindowThreadProcessId ( hwnd, &pid );
      process = OpenProcess (PROCESS_VM_OPERATION|PROCESS_VM_READ|
  • Sigh. (Score:5, Interesting)

    by Spyware23 (1260322) on Thursday July 01, 2010 @09:24AM (#32756004) Homepage

    This isn't anything like Cain & Abel or 1000+ other tools did before for OVER TEN FSCKING YEARS. If slashdot ever posts "news" from sites like securityweek again I might cancel my newsletter subscription. Tip: security knowledge comes from security related blogs/forums (ie. hackers), not "news" websites which place more product placement than news.

    Requesting delete because that VB.NET tool doesn't deserve the bandwidth it will cost.

    • Tip: A large number of stories on Slashdot are product placement. It has been this way since, to my recollection, the series of stories on They Might be Giants. It was probably going on before that and I just didn't recognize. Those seemed like the first slashvertisements that made no real effort to disguise themselves.

      Slashdot is good for its user submitted content. There are still some really good, really informative discussions going on involving people who really know the subjects, that can't be found a

    • by The Car (1846356)

      Requesting delete because that VB.NET tool doesn't deserve the bandwidth it will cost.

      In their defense, the core logic is written in C#.

    • Yeah, this really isn't anything new or newsworthy; that some Russian web site is charging $50 to give you already existing tools in a nice package; now that's news!
      • by hedwards (940851)
        No it's not, what's news is that they then take your credit information and completely empty the bank accounts associated with it.
    • by hadesan (664029)
      It's a CmdrTaco post - did you expect anything less (or actually more)?
  • Passwords (Score:3, Funny)

    by Rik Sweeney (471717) on Thursday July 01, 2010 @09:28AM (#32756058) Homepage

    And it's for this reason that I write all my passwords down on the back of my hand.

    I've already addressed the problem of them washing off by using using permanent marker. And not bathing.

  • Which is this? (Score:5, Insightful)

    by tverbeek (457094) on Thursday July 01, 2010 @09:32AM (#32756112) Homepage

    Is this an alert or an advert? ;)

  • in Microsoft Internet Explorer, mailbox and identity passwords in all versions of Microsoft Outlook Express, Outlook, Windows Mail and Windows Live Mail."

    ...But how does this effect me?

  • Use Keypass [keepass.info]
  • by bartwol (117819) on Thursday July 01, 2010 @09:57AM (#32756484)

    Firefox offers an option to use a [user-supplied] master password to encrypt/decrypt password data. If a Firefox user enables that functionality, then Firefox would not [by my guess] be vulnerable to an exploit strategy such as the one employed by this cracking product (which relies on rule-based keys instead of a user-supplied key). Firefox passwords may, however, be vulnerable to other cracking strategies.

    Here are some more details about how Firefox stores passwords. [luxsci.com]

  • Site seems to be down
  • by hilather (1079603) on Thursday July 01, 2010 @10:21AM (#32756800)
    I was beginning to think IE cache was unbreakable...
    • by caekys (1845106)

      I was beginning to think IE cache was unbreakable...

      How does one break something that is already broken? Naw, just kidding.

  • Shocked (Score:1, Troll)

    by Zoxed (676559)

    I am shocked, shocked to find a security flaw in Microsoft Internet Explorer.

  • all your password belong to us

  • This whole thing reads like a press release for a new product: "With a price tag of just $49..." As has already mentioned, this is not really newsworthy, old tech in a new box.
  • <tong-in-cheek>

    I am outraged! Why doesn't this work on Linux?
    Its always the same... people think that FOSS is not that important blablabla...

    </tong-in-cheek>
  • Any "remember my password" feature in any app is inherently insecure.

    Whenever I write such a feature, I encrypt the saved password, but I understand that this will only defeat wannabe crackers whose level of sophistication is limited to running strings on cache files. Any cracker worth their salt will reverse-engineer the encryption used by the app.

    It's for this reason that I never enable "remember my password" where important passwords are involved.

  • Yawn. LSA secrets aren't particularly.

    Why not write stories about those who build things rather than give valuable Slashdot electrons to breaking stuff? Boring.

  • My wife needs a tool like this. She can never remember her passwords.

Any sufficiently advanced technology is indistinguishable from a rigged demo. - Andy Finkel, computer guy

Working...