22
May
11

Internet Explorer (Auto Complete) stores your passwords unencrypted!

When you check the auto-complete option in Windows internet explorer, you just opened yourself up to a mess of potential problems. Internet explorer stores all of the user names and passwords that you tell it to learn, in a single flat-file that is unencrypted and can be easily read by a variety of program.

I was installing a password managing program this morning and during one step of the installation process, I unexpectedly saw that all of my user names and passwords popped up completely visible. What this means is that if someone gained access to your computer, they could have full access to any password that you saved in auto-complete with internet explorer. It wouldn’t take someone with the least bit technically competency to steal all of this information.

As far as data vulnerabilities go, this is about as big as it gets. Imagine that if someone logged onto your computer, they could access your online email, bank account, car insurance, and every other place where you clicked ‘Save Password’.

Do yourself some good and get a password management program, or just remember your passwords. It is so irresponsible for Microsoft to release a new internet browser and not encrypt information like this. Both internet explorer 6 and 7 store passwords without any encryption.


How to store passwords securely in FireFox
(FireFox still auto-completes, but password file is encrypted and unreadable).

How to clear passwords in Internet Explorer 6 »

How to clear passwords in Internet Explorer 7 »

UPDATE ON THIS:
Before this gets out of hand, I want to clarify that the passwords are actually not stored in a flat file, but rather in a section of the computer’s registry. They are also not readable under every circumstance, but in my case and probably many other people’s, the user names and passwords can be easily extracted by the correct program. I read an incorrect source, that at the time seemed credible which I will reference if I can find it again. I apologize for the error.

Enjoyed reading this post?
Subscribe to the RSS feed and have all new posts delivered straight to you.
11 Comments:
  1. Sandi Hardmeier 23 May, 2007

    Your statements are incorrect. Usernames and passwords are stored, encrypted, in the computer registry.

    Yes there are programs out there that are able to decrypt the registry to retrieve the passwords, but that does not mean that the data is not encrypted. Unfortunately you have drawn completely wrong conclusions from your experience.

    You will find this URL useful in explaining the various ways that passwords are stored:

    http://www.nirsoft.net/utils/internet_explorer_password.html

    Information about “protected storage”:

    http://www.microsoft.com/technet/security/guidance/serversecurity/tcg/tcgch07n.mspx

  2. wng_z3r0 23 May, 2007

    http://msdn2.microsoft.com/en-us/library/ms533032.aspx

    When a user enters information in an INPUT type=text element and submits a form, that information is encrypted and saved in the data store. If the values of the NAME or VCARD_NAME attributes match the data in the data store, that information is provided in the AutoComplete box. A user can quickly travel through an extensive form, because the requested information already is available and only needs to be selected.

  3. Dpark25 23 May, 2007

    Regardless on whether or not the information is encrypted. This is just one of few reasons to have a password manager. Obviously, you got RoboForm for a single user. There are also are also password management options for businesses. Its just a cheap, easy way to manage all of your passwords and not have to worry about security.

  4. Dean Harding 5 Jun, 2007

    the user names and passwords can be easily extracted by the correct program

    Um, duh. What good would they be if they couldn’t be extracted?

  5. jestep 5 Jun, 2007

    What good are they if they can be that easily extracted. Not much point for a password at all if any program can un-encrypt them.

  6. Dean Harding 5 Jun, 2007

    Not much point for a password at all if any program can un-encrypt them.

    Some program has to decrypt them (i.e. Internet Explorer) so if one program can do it, all programs can do it. That is, unfortunately, a basic principle of security. In computers, security is based on the user not the program – so if someone else logged onto the computer, they would not be able to decrypt the files — they would need to know your password.

    The same is true of Firefox and Opera and basically any program that stores passwords (including “password vaults”).

    Anyone who tries to tell you differently is lying to you.

  7. NORMA 11 Aug, 2009

    THANK YOU FOR YOUR GOOD ADVICE. I WAS ABOUT TO MAKE A HUGE MISTAKE.N.C.

  8. Patrick 29 Nov, 2009

    Just use MS Excel, there is an option to password an excel file and keep all your uns and pws data there, and every time you open it you have to imput a password

  9. boris 7 Jan, 2010

    how can i save the username and password from a website until tipping it on the website if i clicked bevor on “not save password”.

    please let me updated ,this is urgent.

    thank you

  10. Ian Boyd 11 Jun, 2010

    Also understand that your encrypted passwords are accessible by you.

    This raises two points that should be explicitly stated:

    1. You can access all your encrypted passwords, no matter the program that creates them. This is the standard API that is used: you (meaning programs running as you) can access the password store.

    2. Other users cannot access your encrypted password. Your passwords are encrypted with a key unique to your account. The only way to gain access to your account’s encryption key is to know your Windows username and password.

Copyright © 2024 The Ecommerce Blog, Jamie Estep, All Rights Reserved · Theme design by Themes Boutique