New Tool Reveals Internet Passwords

wiredmikey writes "A new password cracking tool released today instantly reveals cached passwords to websites in Microsoft Internet Explorer, and mailbox and identity passwords in all versions of Microsoft Outlook Express, Outlook, Windows Mail, and Windows Live Mail."

Prettier Tool, Old Exploit

[eldavojohn]

This tool appears to just be a well written exploit targeting not just IE but a number of other Microsoft products. I assume it relies on the "Remember my password" functionality in order to get the password. If the browsers are caching passwords without your consent, they are worthless. I know of generalized tools that will do this for any site you remember a password for: IE PassView [nirsoft.net], Google Chrome Pass [nirsoft.net], Messanger Key for instant messengers [msgshit.com] and even Password Fox [nirsoft.net].

When you click "remember my password" the browser stores it in a semi-obfuscated way. Yes, it encrypts it but it must also put the key it uses to encrypt your password on your hard drive somewhere. Since your browser is not also a rootkit, any application you run on your box can access everything your browser can write. Therefore you need only spend the time to figure out where the encryption key is being stored and what kind of encryption the browser is employing to encrypt your password. When your mail client or chat client are remembering your passwords, it's no different. We could have a lengthy debate about whether 'remember your password' should be allowed but apparently the majority of users are okay with it considering the convenience it grants them. If they use the same machine to surf malicious websites, this makes it easier for malware to steal the passwords than a complex keylogging system ... and I guess people who click "Remember this password" are just fine with that prospect.

A few simple lines of code later and you too can write your own command line password discovery tool. Slap a seksi user interface on that and apparently you can sell it for $49.

How is this news exactly

[sopssa]

These password recovery tools have been available as long as there have been passwords in use.

There isn't much you can do about it. They are cached passwords so the applications need to be able to get them back exactly as they were saved (website logins, email logins and so on). You cannot do md5 or other hashing methods on them and since you have the binaries, the encryption/decryption algorithms and keys or the logic is right there available for anyone to disassembly and debug.

Which is this?

[tverbeek]

Is this an alert or an advert? ;)

Re:Prettier Tool, Old Exploit

[Anonymous Coward]

Not to mention that for the open source browsers you can probably just look to see where it stores those keys. This is not a knock against the system, or even the approach, but just an observation.

Assuming the tool is just using the associated "Remember my password" functionality, then this is a non-story and people could get it without the tool. Heck, in Firefox, and I believe Chrome, you can view your stored passwords in plain text using the built-in password manager.

Re:Prettier Tool, Old Exploit

[Anonymous Coward]

This is of course why Firefox (and I presume a few other browsers) have the option to protect your password cache with a master password.

And this is what Windows does. The CryptProtectData API uses a key that is itself encrypted with (data derived from) the user's password. So you can only access the cached passwords if the user is logged on or you know the password.

Is that supposed to be PRAISING that boneheaded scheme?