New Tool Reveals Internet Passwords

wiredmikey writes "A new password cracking tool released today instantly reveals cached passwords to websites in Microsoft Internet Explorer, and mailbox and identity passwords in all versions of Microsoft Outlook Express, Outlook, Windows Mail, and Windows Live Mail."

Prettier Tool, Old Exploit

[eldavojohn]

This tool appears to just be a well written exploit targeting not just IE but a number of other Microsoft products. I assume it relies on the "Remember my password" functionality in order to get the password. If the browsers are caching passwords without your consent, they are worthless. I know of generalized tools that will do this for any site you remember a password for: IE PassView [nirsoft.net], Google Chrome Pass [nirsoft.net], Messanger Key for instant messengers [msgshit.com] and even Password Fox [nirsoft.net].

When you click "remember my password" the browser stores it in a semi-obfuscated way. Yes, it encrypts it but it must also put the key it uses to encrypt your password on your hard drive somewhere. Since your browser is not also a rootkit, any application you run on your box can access everything your browser can write. Therefore you need only spend the time to figure out where the encryption key is being stored and what kind of encryption the browser is employing to encrypt your password. When your mail client or chat client are remembering your passwords, it's no different. We could have a lengthy debate about whether 'remember your password' should be allowed but apparently the majority of users are okay with it considering the convenience it grants them. If they use the same machine to surf malicious websites, this makes it easier for malware to steal the passwords than a complex keylogging system ... and I guess people who click "Remember this password" are just fine with that prospect.

A few simple lines of code later and you too can write your own command line password discovery tool. Slap a seksi user interface on that and apparently you can sell it for $49.

Re:Prettier Tool, Old Exploit

[ShadowRangerRIT]

This is of course why Firefox (and I presume a few other browsers) have the option to protect your password cache with a master password. Instead of remembering every single user name and password, you can store them all behind encryption, but the key for this encryption is in your head, not the disk. Obviously still open to exploits if you're infected (pop up a fake window requesting the master password, hook the browser itself and read the keystrokes passed to it, etc.), but virtually any exploit that can grab the master password could grab the real passwords anyway, so the distinction is trivial. As long as your master password isn't "12345" of course.

Re:Prettier Tool, Old Exploit

[stonewallred]

WTF!!! How did you find out my master password??!!?!?!

Re:Prettier Tool, Old Exploit

[Cryacin]

What? That's the same combination as my luggage.

Re:

[sconeu]

WTF? I have the same password on my atmosphere shield!

Re:

[Sulphur]

Thank you for pressing the self destruct button.

Re:Prettier Tool, Old Exploit

[ShadowRangerRIT]

Which is why I didn't belabor it, or introduce it out of context. I was pointing out that Firefox's scheme is only as secure as the master password you choose. The particular bad password I chose for the Spaceballs reference on the hope that it might get a chuckle or trigger a brief moment of pleasant nostalgia, forgetting that on /., every joke must be beaten to death and explained, rehashed, insulted, re-explained by someone who thinks the insult came due to unfamiliarity, etc., until all traces of humor vanish. Oh well...

Hmm... This is an old story, so this probably won't receive any mods, but I have no idea what I'd mod it if I were moderating. Flamebait/Insightful/Funny/Interesting/Off-topic maybe? Mods, if you can coordinate to apply each of those once, it would be awesome (and I'd end up with overall neutral Karma!). :-)

Re:

[JustOK]

You keep going on and on about people going on and on about something. That's funny.

Re:

[Mister Whirly]

You must be new here.

Re:

[JustOK]

Mr. Balmer?

Re:

[Voulnet]

Damn, I didn't know Kevin Mitnick started posting on Slashdot after his interview here.

Re:

[L4t3r4lu5]

Don't worry, it changes for everyone who reads it. Only you see your master password, because it's your master password.

If I enter mine, all you'll get is asterisks. Watch: *******

Re:Prettier Tool, Old Exploit

[Yvan256]

http://bash.org/?244321 [bash.org].

Re:

[PincushionMan]

All I see is hunter2

Re:

[Vahokif]

My master password is ********.

Re:

[Anonymous Coward]

This is of course why Firefox (and I presume a few other browsers) have the option to protect your password cache with a master password.

And this is what Windows does. The CryptProtectData API uses a key that is itself encrypted with (data derived from) the user's password. So you can only access the cached passwords if the user is logged on or you know the password.

Is that supposed to be PRAISING that boneheaded scheme?

Re:Prettier Tool, Old Exploit

[ShadowRangerRIT]

Well, the Windows scheme only protects your password from malicious software if you never log in at all; once you're logged in any program can pull the passwords, even if you never load the browser. Firefox can only give up master password protected passwords if you launch the browser and provide the master password. And an extension exists to configure the Firefox password manager to "forget" the master password (which is never actually stored, but you know what I mean) after a few minutes, limiting the window of vulnerability further.

Beyond that, if you've got truly malicious software actively running on your computer at all times (not just some website that gets brief read access through an exploit), you're hosed no matter what. Even if you never use a password manager, they can read the password as you type it into the browser; it might take more time than decrypting a password store and forwarding the data in bulk, but it's just as effective over the long haul. It's a trade off between window of vulnerability, scale of breach, and hassle. No manager at all is a hassle (to remember all usernames and passwords), but it's the most secure, since you can only lose one password at a time, with narrow windows of vulnerability. Password managers mean the scale of breach potential increases (you can lose them all at once). Firefox with a master password narrows the window of vulnerability relative to IE, and the extension that re-locks the store narrows it further, at the cost of needing to remember and type the password store password.

I consider it a reasonable trade-off, given that I'm not going to remember the user name and password for every site I visit. Even if I wanted to use the same one everywhere (and I don't, because then one site breach means I lose everything), differing username and password requirements make that impossible, and frankly, my memory isn't good enough to track login info for fifty odd websites, including a dozen I visit only once or twice a year.

Re:

[hedwards]

Yes, but it would be nice if they didn't default to saving form information and asking you if you want to save password on every single site.

Re:

[ShadowRangerRIT]

Eh. Defaulting to a more usable but less secure state is standard practice for anyone that wants to sell software to consumer. If you care about it, it's trivial to fix:

• Tools->Options->Privacy->Select "Use custom settings for history"->Uncheck "Remember Search and Form History"
• Tools->Options->Security->Uncheck "Remember passwords for sites"

My girlfriend does it first thing after installing Firefox on every machine she's ever owned (and she's not particularly computer savvy; she's a

Re:

[Cato]

You could also look at LastPass - http://lastpass.com/ [lastpass.com] - which works very well across Windows/Mac/Linux, Firefox, Chrome, Safari, etc, and on many mobile phones as well. Quite well designed and mature, and can be used offline though it's a browser addon, and syncs your password data to/from the cloud automatically, but also supports export to various formats if the cloud goes away. Now has a feature to manage non-browser passwords as well.

Re:

[bheerssen]

12345? That's amazing! I've got the same combination on my luggage...

Re:

[macshome]

Apple offers the Keychain APIs for secure storage of identity items as well.

Using this a browser can store what it needs in a secure way. Access to each and every item is controlled by ACLs that you can tweak to your heart's content.

Re:

[wkcole]

Apple offers the Keychain APIs for secure storage of identity items as well. Using this a browser can store what it needs in a secure way. Access to each and every item is controlled by ACLs that you can tweak to your heart's content.

And we all know that with the excellent security synergy between users and application developers, the result of having freely tweakable security settings that default to moderate strength inevitably tends towards most users finding their own optimal balance of security and convenience that never leaves anyone at significant risk.

What, you haven't noticed that? I'm SHOCKED!

Snark aside: YES, Apple provides a strong toolkit and default behaviors (in Safari and elsewhere) that set a reasonably secure norm

Re:

[Spad]

Which is why I like Seamonkey's ability to secure the password store with a password of its own so that you're not simply relying on security through obscurity.

Re:

[natehoy]

Except the first time you want to access the password store in each session, you present your password that "unlocks" the password store, then THAT password is persisted for the remainder of the session. So, either way, if you visit a malicious website the chances are your password store is in a vulnerable state (the password store is open for business, and the password is available somewhere). In both the Seamonkey/Firefox and Microsoft cases, the password store is vulnerable once it's logged in. The on

Re:

[AlexiaDeath]

msgshit.com - interesting domain name. Deliberate, it seems. 5pts. All your cached passwords are readable. They have to be to be used. Duh! Nobody caching their passwords should be surprised by that...

Re:

[Anonymous Coward]

Not to mention that for the open source browsers you can probably just look to see where it stores those keys. This is not a knock against the system, or even the approach, but just an observation.

Assuming the tool is just using the associated "Remember my password" functionality, then this is a non-story and people could get it without the tool. Heck, in Firefox, and I believe Chrome, you can view your stored passwords in plain text using the built-in password manager.

Re:

[TheSpoom]

Firefox doesn't even attempt to hide it: Preferences -> Security -> Saved Passwords -> Show Passwords.

Re:

[ehrichweiss]

If you assign a master password that changes for you a bit; it won't show them without you entering the master password, twice IIRC.

Re:

[Anonymous Coward]

Perhaps this needs a rethink on filesystem security?

I'm thinking a desktop OS wherein each application is assigned a directory/folder on installation, and is only able to access its own folder a per user generic 'documents' folder, and a per user, application specific configuration folder. There'd be some costs to that - developers would have to compile against APIs and libraries rather than importing them in from the system at runtime. This would make individual programs larger and increase maintenance req

Re:

[TheRaven64]

On OS X, the keychain is stored encrypted. When you log in, the keychain daemon runs and, if your keychain password matches your login password, decrypts the store into RAM. Individual passwords can only be accessed by other apps via RPC to this daemon. This RPC uses Mach ports, which allow the process on the other end to be identified. Access to individual passwords must be specifically granted (on a one-off or permanent basis) to apps, although any app can access all passwords that it created. If the

Re: Interface

[TaoPhoenix]

I wanna see the Skeksi interface!

The Dark Crystal (1982)
http://www.imdb.com/title/tt0083791/plotsummary [imdb.com]

Re:

[Yvanhoe]

"remember my password" can be secured by a master password. Type it once in a session to be able to login to many website. Honestly, nowadays, with 20+ websites asking silly registrations, it is either that, or use the same login/password everywhere.

Re:

[shnull]

dam' refinement of technology ... in meeehehey days, tools wudnt that darn complicated and specific, they just revealed all windows passwords ...

Re:

[turnkey-web]

This is nothing new with Microsoft! People will hack their code at every opportunity and they know it. This gives them an excuse to release an even more secure program year after year! Am i the only one who thinks this? Mobile phone lasts 2 years max... why? because they want you to buy a new one! Windows gets so hacked and unusable within 2 years... again why? so they can bring out a new version.. just about every product on the market is like this because if not they have no repeat business which means no

Slashvertisment if EVER I saw one.

[richy freeway]

None of this is new or amazing, I honestly can't believe something as basic as this would make front page news on /.

Check out http://www.nirsoft.net/utils/#password_utils [nirsoft.net] for password recovery tools, for free, that have been available for ages.

Re:

[Xacid]

Or even Cain [www.oxid.it]

Re:

[richy freeway]

And you run this tool from the article where? On your cellphone?

My point is valid and still stands. The tools I linked to are EXACTLY the same.

Re:

[ehrichweiss]

You definitely didn't RTFA, or understand the summary. It's a locally run program that reveals passwords for the sites you visit to the person who runs the program.

Re:

[olderchurch]

Nowhere in TFA it says anything about an expoit that reveals your password to a website you visit. It mentions that it reveals passwords that are cached. From the FTA:

The password breaker gives users the ability to instantly retrieve the login and password information to a variety of resources such as those routinely cached by Web browsers. The tool can quickly recover cached logins and passwords to Web sites, including pre-filled forms and auto-complete information stored in the Internet Explorer cache. In addition, the tool makes it possible to instantly replace or reset IE Content Advisor passwords.

Re:

[richy freeway]

Explain to me what you think TFA is on about then. From what I've seen so far, you've missed the point completely. What do you think cached passwords are?

Re:

[ZyBex]

The OP is actually agreeing with you, dude. Read again.

I agree, this is nothing new. Nirsoft tools are great, I've been using them for ages. Time to make a donation.

Re:

[Stunning Tard]

This exploit reveals your passwords to a website that you visit (although I have not RTFA), which is a bit different.

The slashvertized tool does not send passwords to a website. It reveals passwords to you when you run the tool locally. This is not news.

At the risk of putting this company out of business here's a 'cracker' for passwords stored by most browsers [blogspot.com].

New? I don't think so.

[jack2000]

This isn't new by any foxnews stretch of the word.

vs OS X keychain?

[AHuxley]

How safe is OS X and its keychain tech?
Is it also $49 safe? Thanks

Depends

[Sycraft-fu]

Anything that just stores passwords for automatic login, and doesn't require any user interaction, is not secure from something like this. Reason is if a program, like say Thunderbird, can get your e-mail password to hand off to the server, well then another program can too. It is stored in some easily reversible form. However, if the program itself needs a password to access the password store, then it should be secure provided a good password is used. The reason is that it uses that password to encrypt th

Re:

[kybred]

From Wikipedia Apple Keychain [wikipedia.org]

The default keychain file is the login keychain, typically opened on login by the user's login password (although the password for this keychain can instead be different from a user’s login password, adding security at the expense of some convenience).

...

The keychain file(s) stores a variety of data fields including a title, URL, notes and password. Only the password is encrypted and it is encrypted with Triple DES.

Title is Inaccurate

[Cytlid]

It should read "New Tool Reveals Windows Passwords".

Re:

[AHuxley]

Yes it seems if you use Linux or Mac, your MS web mail should be safe.

Re:

[dyingtolive]

Oh god, I'm so relieved. For a moment I was afraid someone got the password to the internet!

Actually, to be honest, when I first saw the headline, I thought to myself, "When asked to stop revealing people's passwords, the tool put his oakleys on, popped his collar, and then nah "Nah, bro," before walking away.

No that is incorrect

[Sycraft-fu]

Windows passwords are stored using non-reversible encryption be default. For Vista and 7, they are stored only using the HTLMv2 hash by default, which is extremely secure. For XP passwords under 14 characters it does store the LM has as well by default, which can generally be cracked with only a little effort as it is not secure.

What this tool does is reveal saved passwords in programs. That is not hard to do. Any password you save for a remote system must, by definition, be stored using some sort of revers

Bah...

[PmanAce]

I am invincible, I use Chrome...

Re:

[wkeri11a]

LOL..nice but you're comment makes a good point - this little article mentions only IE. Does that mean browsers like Firefox (my choice), Chrome, Safari are immune. All of them have remember my password functionality but somehow does it better/different? I assume this since no one so far has written, "Sweet Jesus we're DOOMED!", that IE is the only exploited platform with this software?

Re:

[Spad]

No. Your saved browser passwords are only secure if the browser provides (properly implemented) password protection for the saved passwords.

i.e. The passwords are encrypted with a key, which is encrypted with a password that the browser requires you to enter before it will allow access to your saved passwords.

Heh

[Pojut]

This reminds me of a tool I used back in the day called "Revelation". You loaded it up, clicked on the "target" icon, then clicked on a password field that was blocked with asterisks instead of displaying the password. The "hidden" password would appear in the "Revelation" box, allowing you to see what it was.

This was how I discovered the password for our dial-up internet back when I was in middle school in the mid-90's. My mom entered the password, and usually waited until it connected...but one time she slipped up, and left before it connected. I hit "cancel", and sure enough the password was still there, just blocked by asterisks. Thanks to "Revelation", I got it and was able to log in during the middle of the night, chatting it up on Yahoo and working on my Angelfire web page.

Ah, memories...

Re:

[Anonymous Coward]

wtf? I almost have the exact same story...

Re:

[ninja59]

right, your Angelfire web site in the middle of the night. (a light fappish sound in background)

Re:

[6Yankee]

My mother went for the low-tech solution to keeping my brother and I off the internet when she wasn't around - taking the power cord to the PC with her.

Suffice to say, they don't call them kettle cords for nothing ;)

Re:

[hellop2]

You mean Snadboy's Revelation http://www.snadboy.com/

Re:

[Pojut]

It's been a long time, but I'm 99.9% sure that was it!

Re:

[PacketShaper]

A pubescent youth gets the keys to the internet and he spends his time late at night....working on an Angelfire webpage?

What kind of mutant alien monster are you??

Re:

[Pojut]

The kind who had found his step-dad's "collection", and didn't need crappy mid-90's Internet video for his fapping ;-)

Re:

[Thuktun]

This reminds me of a tool I used back in the day called "Revelation". You loaded it up, clicked on the "target" icon, then clicked on a password field that was blocked with asterisks instead of displaying the password. The "hidden" password would appear in the "Revelation" box, allowing you to see what it was.

In that version of Windows, a password edit control just had a password style set on it and you could effectively disable that with some simple Windows API calls. Worse, you could just WM_GETTEXT and get the password out in plaintext without changing the style.

Re:

[glwtta]

working on my Angelfire web page

That's an odd way to misspell "masturbating furiously".

Re:

[Bing Tsher E]

Years ago I once lost the password for my dial-up internet, and it was easier to make a 'modem tap' to recover it than it was to dig into the binaries and extract the encrypted password from the dialup networking glop I used back then. I just soldered on a third 'listen only' tap connector on my modem cable and intercepted the password as it was sent out to the modem.

Re:

[b4dc0d3r]

It's specific to versioned windows, you have to update the address of USER32.ValidateHwnd, and it probably does not work with ASLR type protection. But it worked with XP.
<code>

#include "stdafx.h"

int ReadOtherProcess (HWND hwnd, void *address, void *buf, unsigned len)
{
unsigned long pid;
HANDLE process;

GetWindowThreadProcessId ( hwnd, &pid );
process = OpenProcess (PROCESS_VM_OPERATION|PROCESS_VM_READ|

Sigh.

[Spyware23]

This isn't anything like Cain & Abel or 1000+ other tools did before for OVER TEN FSCKING YEARS. If slashdot ever posts "news" from sites like securityweek again I might cancel my newsletter subscription. Tip: security knowledge comes from security related blogs/forums (ie. hackers), not "news" websites which place more product placement than news.

Requesting delete because that VB.NET tool doesn't deserve the bandwidth it will cost.

Re:

[Hijacked Public]

Tip: A large number of stories on Slashdot are product placement. It has been this way since, to my recollection, the series of stories on They Might be Giants. It was probably going on before that and I just didn't recognize. Those seemed like the first slashvertisements that made no real effort to disguise themselves.

Slashdot is good for its user submitted content. There are still some really good, really informative discussions going on involving people who really know the subjects, that can't be found a

Re:

[The Car]

Requesting delete because that VB.NET tool doesn't deserve the bandwidth it will cost.

In their defense, the core logic is written in C#.

Re:

[interval1066]

Yeah, this really isn't anything new or newsworthy; that some Russian web site is charging $50 to give you already existing tools in a nice package; now that's news!

Re:

[hedwards]

No it's not, what's news is that they then take your credit information and completely empty the bank accounts associated with it.

Re:

[hadesan]

It's a CmdrTaco post - did you expect anything less (or actually more)?

Passwords

[Rik Sweeney]

And it's for this reason that I write all my passwords down on the back of my hand.

I've already addressed the problem of them washing off by using using permanent marker. And not bathing.

Re:

[robot256]

It's okay, because he changes his password every two weeks when the ink fades and writes the new one down on top of it. Right?

Which is this?

[tverbeek]

Is this an alert or an advert? ;)

Re:

[Spad]

An Adlert?

Re:

[acoustix]

Ask your doctor if Adlert is right for you.

Nice. I appreciated that.

Well, ok

[HeckRuler]

in Microsoft Internet Explorer, mailbox and identity passwords in all versions of Microsoft Outlook Express, Outlook, Windows Mail and Windows Live Mail."

...But how does this effect me?

Re:

[gardyloo]

That would be an interesting question, if you didn't actually mean affect.

Re:

[prionic6]

I think it effected his post.

Solve the problem

[L4t3r4lu5]

Use Keypass [keepass.info]

Re:Solve the problem

[L4t3r4lu5]

Further, "CmdrTaco! Look out! kdawson has stolen your password using this tool and is posting inflammatory and poorly researched crap using your account!"

Firefox password security

[bartwol]

Firefox offers an option to use a [user-supplied] master password to encrypt/decrypt password data. If a Firefox user enables that functionality, then Firefox would not [by my guess] be vulnerable to an exploit strategy such as the one employed by this cracking product (which relies on rule-based keys instead of a user-supplied key). Firefox passwords may, however, be vulnerable to other cracking strategies.

Here are some more details about how Firefox stores passwords. [luxsci.com]

Site seems to be down

[__aavqan3009]

Site seems to be down

I'm glad they finally figured this out.

[hilather]

I was beginning to think IE cache was unbreakable...

Re:

[caekys]

I was beginning to think IE cache was unbreakable...

How does one break something that is already broken? Naw, just kidding.

Shocked

[Zoxed]

I am shocked, shocked to find a security flaw in Microsoft Internet Explorer.

New Tool Reveals Internet Passwords

[burgessms]

all your password belong to us

PR

[internetdarwin]

This whole thing reads like a press release for a new product: "With a price tag of just $49..." As has already mentioned, this is not really newsworthy, old tech in a new box.

and it doesnt work with LINUX?!?!?!

[Razgorov Prikazka]

<tong-in-cheek>

I am outraged! Why doesn't this work on Linux?
Its always the same... people think that FOSS is not that important blablabla...

</tong-in-cheek>

"Remember my password" is inherently insecure.

[efalk]

Any "remember my password" feature in any app is inherently insecure.

Whenever I write such a feature, I encrypt the saved password, but I understand that this will only defeat wannabe crackers whose level of sophistication is limited to running strings on cache files. Any cracker worth their salt will reverse-engineer the encryption used by the app.

It's for this reason that I never enable "remember my password" where important passwords are involved.

1995 wants its news back

[ajv]

Yawn. LSA secrets aren't particularly.

Why not write stories about those who build things rather than give valuable Slashdot electrons to breaking stuff? Boring.

My wife needs a tool like this.

[s_p_oneil]

My wife needs a tool like this. She can never remember her passwords.