One of the most convenient tools browsers offer is the ability to save and automatically prefill your passwords on login forms. Because so many sites require accounts and it is well known (or should be at least) that using a shared password is a big no-no, a password manager is almost essential.
So if you are an IE user and answer “yes” to allow the browser to remember your password, how secure is this information?
Where are they saved?
Starting at Internet Explorer 7, password are stored in the system registry (KEY_CURRENT_USER\Software\Microsoft\Internet Explorer\IntelliForms\Storage2) and ciphered against the Windows user’s login password using the the Data Protection API which utilizes Triple DES encryption.
How secure is this data?
At the time of this writing, Triple DES is practically unbreakable through brute force methods. However, there really isn’t a need to brute force the encryption once you are logged into the Windows account where your password data is stored as Windows makes the assumption that once logged in it is safe for applications to access this data. As a result of IE not utilizing a master password (such as what Firefox offers) to protect its saved passwords, the respective Windows account password is the Triple DES decryption key.
Simply put, if you can log in to Windows with the account and password, you can see the saved browser passwords. Using a freely available utility such as NirSoft’s IE PassView, you can view and export every saved IE password.
So can malware access this?
After seeing how easy it is to get to this data, the next logical question is can malware easily get to this data. I am not a malware developer, but I don’t see any reason it could not. If I scan the IE PassView utility using Virus Total, you can see 55% of the scanners they use detect it is malware (one of which is Security Essentials).
While in our case the result is a false positive, this shows that it is possible for a piece of malware to access this data undetected even when the system runs anti-virus. Additionally, because the encrypted data is user specific no UAC prompt will be triggered by an application trying to access this data. Before thinking this is a flaw in the OS, this is really the way it has to be otherwise IE and a host of other Windows applications which utilize the protected storage would trigger a UAC prompt every time they opened.
What if my computer is stolen?
The simple answer is this data is as secure as your Windows account password. As we have shown above, when you login to the account using the appropriate password all of this data is easily accessible. If you use no password, you have no protection.
To take this a step further, I did a reset of the account password to see what would happen when the password was forcefully changed outside of Windows. After the reset, I saved a new Gmail address password (blah@) and ran IE PassView. I was able to see the previous user name (myemail@) which was saved before the password was reset, but because the account passwords (i.e. “master password”) used to save the data are different, it was not able to decrypt the IE password saved under the previous Windows account password. This is definitely a good thing.
At the end of the day, the security of your IE saved passwords depends totally on the user:
- Use a very strong Windows account password. Keep in mind, there are utilities which can decipher Windows passwords. If someone gets your Windows account password then they have access to your saved IE passwords.
- Protect yourself from malware. If utilities are able to easily access your saved passwords, why can’t malware?
- Save your passwords in a password management system such as KeePass. Of course, you loose the convenience of having the browser auto-fill your passwords.
- Use a 3rd party utility which integrates with IE and uses a master password to manage your passwords.
- Encrypt your entire hard drive using TrueCrypt. This is completely optional and for the ultra protective, but if someone can’t decrypt your drive they surely can get anything off of it.
Of course both of these go without saying, but this just reinforces the importance of taking steps to keep your system secure.