Slashdot Mirror

← Back to Stories (view on slashdot.org)

New Tool Reveals Internet Passwords

Posted by CmdrTaco on from the change-early-change-often dept.

wiredmikey writes "A new password cracking tool released today instantly reveals cached passwords to websites in Microsoft Internet Explorer, and mailbox and identity passwords in all versions of Microsoft Outlook Express, Outlook, Windows Mail, and Windows Live Mail."

26 of 140 comments (clear)

  1. Prettier Tool, Old Exploit by eldavojohn · · Score: 5, Insightful

    This tool appears to just be a well written exploit targeting not just IE but a number of other Microsoft products. I assume it relies on the "Remember my password" functionality in order to get the password. If the browsers are caching passwords without your consent, they are worthless. I know of generalized tools that will do this for any site you remember a password for: IE PassView, Google Chrome Pass, Messanger Key for instant messengers and even Password Fox.

    When you click "remember my password" the browser stores it in a semi-obfuscated way. Yes, it encrypts it but it must also put the key it uses to encrypt your password on your hard drive somewhere. Since your browser is not also a rootkit, any application you run on your box can access everything your browser can write. Therefore you need only spend the time to figure out where the encryption key is being stored and what kind of encryption the browser is employing to encrypt your password. When your mail client or chat client are remembering your passwords, it's no different. We could have a lengthy debate about whether 'remember your password' should be allowed but apparently the majority of users are okay with it considering the convenience it grants them. If they use the same machine to surf malicious websites, this makes it easier for malware to steal the passwords than a complex keylogging system ... and I guess people who click "Remember this password" are just fine with that prospect.

    A few simple lines of code later and you too can write your own command line password discovery tool. Slap a seksi user interface on that and apparently you can sell it for $49.

    --
    My work here is dung.
    1. Re:Prettier Tool, Old Exploit by ShadowRangerRIT · · Score: 5, Informative

      This is of course why Firefox (and I presume a few other browsers) have the option to protect your password cache with a master password. Instead of remembering every single user name and password, you can store them all behind encryption, but the key for this encryption is in your head, not the disk. Obviously still open to exploits if you're infected (pop up a fake window requesting the master password, hook the browser itself and read the keystrokes passed to it, etc.), but virtually any exploit that can grab the master password could grab the real passwords anyway, so the distinction is trivial. As long as your master password isn't "12345" of course.

      --
      $_ = "wftedskaebjgdpjgidbsmnjgcdwatb"; tr/a-z/oh, turtleneck Phrase Jar!/; print
    2. Re:Prettier Tool, Old Exploit by AlexiaDeath · · Score: 2, Informative

      msgshit.com - interesting domain name. Deliberate, it seems. 5pts. All your cached passwords are readable. They have to be to be used. Duh! Nobody caching their passwords should be surprised by that...

    3. Re:Prettier Tool, Old Exploit by stonewallred · · Score: 4, Funny

      WTF!!! How did you find out my master password??!!?!?!

    4. Re:Prettier Tool, Old Exploit by Cryacin · · Score: 5, Funny

      What? That's the same combination as my luggage.

      --
      Science advances one funeral at a time- Max Planck
    5. Re:Prettier Tool, Old Exploit by Voulnet · · Score: 2, Funny

      Damn, I didn't know Kevin Mitnick started posting on Slashdot after his interview here.

    6. Re:Prettier Tool, Old Exploit by Anonymous Coward · · Score: 2, Insightful

      Not to mention that for the open source browsers you can probably just look to see where it stores those keys. This is not a knock against the system, or even the approach, but just an observation.

      Assuming the tool is just using the associated "Remember my password" functionality, then this is a non-story and people could get it without the tool. Heck, in Firefox, and I believe Chrome, you can view your stored passwords in plain text using the built-in password manager.

    7. Re:Prettier Tool, Old Exploit by ehrichweiss · · Score: 2, Informative

      If you assign a master password that changes for you a bit; it won't show them without you entering the master password, twice IIRC.

      --
      0x09F911029D74E35BD84156C5635688C0
    8. Re:Prettier Tool, Old Exploit by Yvan256 · · Score: 4, Funny

      http://bash.org/?244321.

    9. Re:Prettier Tool, Old Exploit by natehoy · · Score: 2, Informative

      Except the first time you want to access the password store in each session, you present your password that "unlocks" the password store, then THAT password is persisted for the remainder of the session. So, either way, if you visit a malicious website the chances are your password store is in a vulnerable state (the password store is open for business, and the password is available somewhere). In both the Seamonkey/Firefox and Microsoft cases, the password store is vulnerable once it's logged in. The only difference is that in the Microsoft case, you're always logged in. In the Seamonkey/Firefox case, you're only logged in after you've entered the password to access the password store, which is probably "only" 99% of the time you surf the Web, but at least the password store is pretty secure if you're not running your browser at all, or haven't used the password store yet for that session.

      Of course, the alternative is use the password just long enough to perform the requested operation, then forget it. That means, though, that you'd have to ask for the security password every time a site wants to retrieve a password from the store or the user wants to add or update a password in the store. Then people would just remove the password, because that would be a pain. Think Vista/7 UAC popups that each need a password, or sudo/su in Linux, but every time you want to use a stored password in your browser. Most people would tolerate that for about as long as it takes to remove the password.

      And, if you don't bother putting a password on it (Firefox leaves the password off by default, and I don't know anyone else who actually uses it), then Firefox is just as vulnerable as the Microsoft exploit.

      Yes, the tool is AVAILABLE, but the benefits it offers are somewhat marginal and it's not the default setting.

      If you want passwords stored and entered automatically, then the passwords are no longer under your control to enter manually and there's going to be a way for them to be read once you make them conveniently available. By all means, use the password store (and the password that protects it, please!) for things like your Slashdot account, etc. Just for the love of [insert deity of choice] DON'T use it for passwords like your bank account or credit cards.

      --
      "This post contains words, known to the State of California to cause thought. Wash brain thoroughly after reading."
    10. Re:Prettier Tool, Old Exploit by ShadowRangerRIT · · Score: 3, Interesting

      Well, the Windows scheme only protects your password from malicious software if you never log in at all; once you're logged in any program can pull the passwords, even if you never load the browser. Firefox can only give up master password protected passwords if you launch the browser and provide the master password. And an extension exists to configure the Firefox password manager to "forget" the master password (which is never actually stored, but you know what I mean) after a few minutes, limiting the window of vulnerability further.

      Beyond that, if you've got truly malicious software actively running on your computer at all times (not just some website that gets brief read access through an exploit), you're hosed no matter what. Even if you never use a password manager, they can read the password as you type it into the browser; it might take more time than decrypting a password store and forwarding the data in bulk, but it's just as effective over the long haul. It's a trade off between window of vulnerability, scale of breach, and hassle. No manager at all is a hassle (to remember all usernames and passwords), but it's the most secure, since you can only lose one password at a time, with narrow windows of vulnerability. Password managers mean the scale of breach potential increases (you can lose them all at once). Firefox with a master password narrows the window of vulnerability relative to IE, and the extension that re-locks the store narrows it further, at the cost of needing to remember and type the password store password.

      I consider it a reasonable trade-off, given that I'm not going to remember the user name and password for every site I visit. Even if I wanted to use the same one everywhere (and I don't, because then one site breach means I lose everything), differing username and password requirements make that impossible, and frankly, my memory isn't good enough to track login info for fifty odd websites, including a dozen I visit only once or twice a year.

      --
      $_ = "wftedskaebjgdpjgidbsmnjgcdwatb"; tr/a-z/oh, turtleneck Phrase Jar!/; print
    11. Re:Prettier Tool, Old Exploit by ShadowRangerRIT · · Score: 5, Interesting

      Which is why I didn't belabor it, or introduce it out of context. I was pointing out that Firefox's scheme is only as secure as the master password you choose. The particular bad password I chose for the Spaceballs reference on the hope that it might get a chuckle or trigger a brief moment of pleasant nostalgia, forgetting that on /., every joke must be beaten to death and explained, rehashed, insulted, re-explained by someone who thinks the insult came due to unfamiliarity, etc., until all traces of humor vanish. Oh well...

      Hmm... This is an old story, so this probably won't receive any mods, but I have no idea what I'd mod it if I were moderating. Flamebait/Insightful/Funny/Interesting/Off-topic maybe? Mods, if you can coordinate to apply each of those once, it would be awesome (and I'd end up with overall neutral Karma!). :-)

      --
      $_ = "wftedskaebjgdpjgidbsmnjgcdwatb"; tr/a-z/oh, turtleneck Phrase Jar!/; print
  2. Slashvertisment if EVER I saw one. by richy+freeway · · Score: 5, Interesting

    None of this is new or amazing, I honestly can't believe something as basic as this would make front page news on /.

    Check out http://www.nirsoft.net/utils/#password_utils for password recovery tools, for free, that have been available for ages.

  3. New? I don't think so. by jack2000 · · Score: 2, Funny

    This isn't new by any foxnews stretch of the word.

  4. Title is Inaccurate by Cytlid · · Score: 4, Informative

    It should read "New Tool Reveals Windows Passwords".

    --
    FLR
  5. Heh by Pojut · · Score: 5, Interesting

    This reminds me of a tool I used back in the day called "Revelation". You loaded it up, clicked on the "target" icon, then clicked on a password field that was blocked with asterisks instead of displaying the password. The "hidden" password would appear in the "Revelation" box, allowing you to see what it was.

    This was how I discovered the password for our dial-up internet back when I was in middle school in the mid-90's. My mom entered the password, and usually waited until it connected...but one time she slipped up, and left before it connected. I hit "cancel", and sure enough the password was still there, just blocked by asterisks. Thanks to "Revelation", I got it and was able to log in during the middle of the night, chatting it up on Yahoo and working on my Angelfire web page.

    Ah, memories...

    --
    Living With a Nerd
    1. Re:Heh by Anonymous Coward · · Score: 2, Funny

      wtf? I almost have the exact same story...

    2. Re:Heh by Pojut · · Score: 2, Informative

      The kind who had found his step-dad's "collection", and didn't need crappy mid-90's Internet video for his fapping ;-)

      --
      Living With a Nerd
  6. Sigh. by Spyware23 · · Score: 5, Interesting

    This isn't anything like Cain & Abel or 1000+ other tools did before for OVER TEN FSCKING YEARS. If slashdot ever posts "news" from sites like securityweek again I might cancel my newsletter subscription. Tip: security knowledge comes from security related blogs/forums (ie. hackers), not "news" websites which place more product placement than news.

    Requesting delete because that VB.NET tool doesn't deserve the bandwidth it will cost.

  7. Passwords by Rik+Sweeney · · Score: 2, Funny

    And it's for this reason that I write all my passwords down on the back of my hand.

    I've already addressed the problem of them washing off by using using permanent marker. And not bathing.

    --
    Summation 2
  8. Which is this? by tverbeek · · Score: 4, Insightful

    Is this an alert or an advert? ;)

    --
    http://alternatives.rzero.com/
  9. Re:Well, ok by prionic6 · · Score: 2, Funny

    I think it effected his post.

  10. Firefox password security by bartwol · · Score: 3, Informative

    Firefox offers an option to use a [user-supplied] master password to encrypt/decrypt password data. If a Firefox user enables that functionality, then Firefox would not [by my guess] be vulnerable to an exploit strategy such as the one employed by this cracking product (which relies on rule-based keys instead of a user-supplied key). Firefox passwords may, however, be vulnerable to other cracking strategies.

    Here are some more details about how Firefox stores passwords.

  11. Re:Solve the problem by L4t3r4lu5 · · Score: 4, Funny

    Further, "CmdrTaco! Look out! kdawson has stolen your password using this tool and is posting inflammatory and poorly researched crap using your account!"

    --
    Finally had enough. Come see us over at https://soylentnews.org/
  12. I'm glad they finally figured this out. by hilather · · Score: 4, Funny

    I was beginning to think IE cache was unbreakable...

  13. Depends by Sycraft-fu · · Score: 2, Interesting

    Anything that just stores passwords for automatic login, and doesn't require any user interaction, is not secure from something like this. Reason is if a program, like say Thunderbird, can get your e-mail password to hand off to the server, well then another program can too. It is stored in some easily reversible form. However, if the program itself needs a password to access the password store, then it should be secure provided a good password is used. The reason is that it uses that password to encrypt the other passwords with strong encryption. The only way to get at them is to find out the password that is encrypting them.

    So if you want the convenience of entering no password, which it just remembers your stuff and never asks you, no, sorry, there is no way to make that secure from another program on your system. However if you have lots of passwords and can't remember all of them and just want to remember one, then a program that uses a master password to encrypt the others will keep them secure, if the master is a good password.