SEARCH

How-To Geek

How Secure Are Your Saved Internet Explorer Passwords?

image

One of the most convenient tools browsers offer is the ability to save and automatically prefill your passwords on login forms. Because so many sites require accounts and it is well known (or should be at least) that using a shared password is a big no-no, a password manager is almost essential.

So if you are an IE user and answer “yes” to allow the browser to remember your password, how secure is this information?

Where are they saved?

Starting at Internet Explorer 7, password are stored in the system registry (KEY_CURRENT_USER\Software\Microsoft\Internet Explorer\IntelliForms\Storage2) and ciphered against the Windows user’s login password using the the Data Protection API which utilizes Triple DES encryption.

How secure is this data?

At the time of this writing, Triple DES is practically unbreakable through brute force methods. However, there really isn’t a need to brute force the encryption once you are logged into the Windows account where your password data is stored as Windows makes the assumption that once logged in it is safe for applications to access this data. As a result of IE not utilizing a master password (such as what Firefox offers) to protect its saved passwords, the respective Windows account password is the Triple DES decryption key.

Simply put, if you can log in to Windows with the account and password, you can see the saved browser passwords. Using a freely available utility such as NirSoft’s IE PassView, you can view and export every saved IE password.

image

So can malware access this?

After seeing how easy it is to get to this data, the next logical question is can malware easily get to this data. I am not a malware developer, but I don’t see any reason it could not. If I scan the IE PassView utility using Virus Total, you can see 55% of the scanners they use detect it is malware (one of which is Security Essentials).

image

While in our case the result is a false positive, this shows that it is possible for a piece of malware to access this data undetected even when the system runs anti-virus. Additionally, because the encrypted data is user specific no UAC prompt will be triggered by an application trying to access this data. Before thinking this is a flaw in the OS, this is really the way it has to be otherwise IE and a host of other Windows applications which utilize the protected storage would trigger a UAC prompt every time they opened.

What if my computer is stolen?

The simple answer is this data is as secure as your Windows account password. As we have shown above, when you login to the account using the appropriate password all of this data is easily accessible. If you use no password, you have no protection.

To take this a step further, I did a reset of the account password to see what would happen when the password was forcefully changed outside of Windows. After the reset, I saved a new Gmail address password (blah@) and ran IE PassView. I was able to see the previous user name (myemail@) which was saved before the password was reset, but because the account passwords (i.e. “master password”) used to save the data are different, it was not able to decrypt the IE password saved under the previous Windows account password. This is definitely a good thing.

image

Conclusion

At the end of the day, the security of your IE saved passwords depends totally on the user:

  • Use a very strong Windows account password. Keep in mind, there are utilities which can decipher Windows passwords. If someone gets your Windows account password then they have access to your saved IE passwords.
  • Protect yourself from malware. If utilities are able to easily access your saved passwords, why can’t malware?
  • Save your passwords in a password management system such as KeePass. Of course, you loose the convenience of having the browser auto-fill your passwords.
  • Use a 3rd party utility which integrates with IE and uses a master password to manage your passwords.
  • Encrypt your entire hard drive using TrueCrypt. This is completely optional and for the ultra protective, but if someone can’t decrypt your drive they surely can get anything off of it.

Of course both of these go without saying, but this just reinforces the importance of taking steps to keep your system secure.

 

Download IE PassView from NirSoft

Jason Faulkner is a developer and IT professional who never has a hot cup of coffee far away. Interact with him on Google+

  • Published 07/19/11

Comments (28)

  1. Ivan Lapis

    Interesting, thanks for the insight on this. So then people without windows passwords are much more vulnerable than they are already? Right?

  2. Beko

    Wow .. no that’s another reason t dump IE … it seems no matter what IE version user uses it isn’t as Microsoft says “The most secured browser” … once someone else logs into windows he can easily see my passwords …

  3. Beko

    Wow .. now that’s another reason to dump IE … it seems no matter what IE version user uses it isn’t as Microsoft says “The most secured browser” … once someone else logs into windows he can easily see my passwords …

  4. Andy

    Who uses IE anyway?

  5. Dan

    Windows’ login password is quite insecure. There are utilities that can be used to brute force it in seconds. Which is why I use Truecrypt’s full disk encryption. I haven’t used IE extensively for about a decade now, but my impression is that MS is working hard to harden and speed up their browser. It won’t be my first choice but I would use it if there are no available alternatives (I’ll just use a third-party password manager to secure my logins).

  6. Jonathan

    The same thing happens with Mozilla Firefox if you’re wondering. You can run Identity finder on any pc and find passwords cached for Firefox, IE, and Chrome. Try it for yourself.

  7. Tim

    IE is the best browser…………………to download a better browser ;)

  8. Jason Faulkner

    @Ivan Lapis – With no PW on your Windows account, people who have physical access can get to anything on your system… files, email, IE PW, etc. This should be understood if you have no PW set.
    The big problem would be if your computer was physically stolen… the thief would have no barriers to accessing this data.

    @Beko – Not necessarily, IMO this is a reasonable amount of security as someone would have to know your Windows account password in order to read the PW’s. I think a separate master password like FF uses would be a great addition, but as is there is strong encryption on this data.

  9. Jason Faulkner

    @Dan – As far as I know, the PW cracking utilities (like the one linked to in the article) use rainbow tables to lookup the respective hashed password. There is nothing any system can really do to protect against this.

    As long as you follow “standard” password creation guidelines: capital, lower letters, numbers and special chars with at least a length of 8, you should be pretty well protected with regards to your browser PW’s.

  10. Atomsk

    Even if you use a windows password those are easy to get passed by using ophcrack or konboot. And even if you do use another browser those passwords are still accessible in browsers like firefox and chrome using such programs as FirePassword.

  11. Chris Ritchie

    LastPass, another 3rd party utility, integrates quite well with IE and Chrome (haven’t tried it with Firefox but they say that it does work), and does have an optional autologin feature that you can set per specific site. And it’s free!

  12. x3geek

    wait a minute. “password” as a Password is strong :O

  13. johnp_80

    If somebody has physical access to your machine, the possibilities for mischief are pretty much endless.

  14. Wayne

    Personally, I don’t store password in my browser. I use Keepass on a thumb drive.

  15. No passwords

    That’s why I dont use any passowrds.

  16. iNB

    If someone has implemented AthTek Keylogger, all your password will be recorded!! Please be careful of that and check your PC now!

  17. Jason Faulkner

    @Atomsk – Only if you use a relatively weak password (letters only). If you have the “standard” strong password: 8+ chars, upper, lower, number, special char you are reasonably safe from rainbow tables. Take a look at the Ophcrack rainbow table character sets on Vista and you will see what I mean.

    @Chris Ritchie – I’m not a fan of LastPass. Call me paranoid but I don’t want _anyone_ having all my passwords but me, regardless of what their about page claims with regards to encryption and privacy… just look at DropBox.

  18. Jason Faulkner

    @johnp_80 – However, your saved passwords in IE are safe as long as they don’t know your account password. In the article I tested resetting the password outside of Windows and the old PW information was not readable.

    @Wayne – That is by far the safest method, but at the price of convenience. Security vs. convenience is always a trade-off.

    @iNB – If your system has been compromised to this level then _all_ of your security measures, no matter how complex, are compromised.

  19. keltari

    I never save passwords in browsers. If I did that, than someone who has access to my pc, has access to everything. Just a bad idea. I always disable password saving.

  20. Ivydapple

    I use Firefox, and I don’t let it remember any passwords. I don’t think it’s safe, and I like to keep my passwords sharp in my mind so I don’t forget ‘em. :)

  21. Ivydapple 2

    goodbye password safe keeper in browser, and say welcome to k****pas password keeper kdbx

  22. peter

    IE does at least keep the saved passwords a place that is less obvious than most other browsers. Firefox does give you choise to create a master password to protect your saved passwords, but chrome doesn’t.

    This has been suggested to Google, but their answer is just stupid and ignorant:
    http://www.google.com/support/forum/p/Chrome/thread?tid=5f249c4fa04ecd17&hl=en

    Yeah sure – if your computer is in the hands of someone, you’re screwed. But if it’s just your friend or co-worker who want to prank you by changing your facebook profile pic, they might not want to go through the trouble by downloading programs to read the passwords. But if its right there, easy to access, it’s just too easy.

  23. Jason Faulkner

    @peter – Great points.
    I can understand where Google and IE for that matter are coming from with the no master password because ultimately if your computer is compromised you potentially completely hosed.
    On the other hand, I do believe having a master password would be a very welcome extra layer of protection (encryption on top of the standard encryption) for those of use who do want to take advantage of it… I know for sure that I would use it.

  24. karan

    Nice Article
    But I feel instead of “How Secure Are Your Saved Internet Explorer Passwords?”
    It should be ” How Secure Are Your Saved Web Browser Passwords?”
    since all basic browsers are in same water .
    The only Difference is Opera and FireFox offer additional defenses in the Menu .
    w/o Master Password for both Opera and FF you can easily view them.
    The problem lies
    To extract passwords from IE or Chrome ,3-4 minutes max(or 1 minute ) of physical access to live computer is required .
    Whereas for FF or Opera ,you will require to figure out master password first before phishing .
    Additional security measures are always welcome .

    “”Currently, the best method for protecting your saved passwords is to lock your computer whenever you step away from it, even for a short period of time. We encrypt your saved passwords on your hard disk. To access these passwords, someone would either need to log in as you or circumvent the encryption.”” — Blair -Google Employee
    Such a reply is extremely immature according to me .

    Once again thank you for this article

  25. Jason Faulkner

    @karan – While I would agree having a master password would certainly be a nice extra layer of protection, I can appreciate where the Google quote is coming from.

    Locking is your computer should be something you do anytime you leave your computer unattended in a place where anyone can access it (i.e. work office). Odds are you do not close all your documents every time you leave your workspace, so if your computer was unlocked they can see anything you have open (email, word docs, etc.) instantly without nosing through your My Documents.

    All it takes is a quick Ctrl+Alt+Del then Enter which takes about 1 second and all your data is reasonably protected.

  26. David

    On firefox, you dont have to download anything to go to the saved passwords. All you have to do is go to tools , page options, sacurity, and click view saved passwords

  27. Jason Faulkner

    @David – If you have a master password set in Firefox, you have to first enter that before you can view the saved passwords.

  28. GigaBitten

    Yeah, agreed. You do need a master password for Firefox. But why is it that the best selling brand of computer in the world the one that is easiest to get into? That is, without an encrypted hard drive?

Enter Your Email Here to Get Access for Free:

Go check your email!