New Tool Reveals Internet Passwords

wiredmikey writes "A new password cracking tool released today instantly reveals cached passwords to websites in Microsoft Internet Explorer, and mailbox and identity passwords in all versions of Microsoft Outlook Express, Outlook, Windows Mail, and Windows Live Mail."

Prettier Tool, Old Exploit

[eldavojohn]

This tool appears to just be a well written exploit targeting not just IE but a number of other Microsoft products. I assume it relies on the "Remember my password" functionality in order to get the password. If the browsers are caching passwords without your consent, they are worthless. I know of generalized tools that will do this for any site you remember a password for: IE PassView, Google Chrome Pass, Messanger Key for instant messengers and even Password Fox.

When you click "remember my password" the browser stores it in a semi-obfuscated way. Yes, it encrypts it but it must also put the key it uses to encrypt your password on your hard drive somewhere. Since your browser is not also a rootkit, any application you run on your box can access everything your browser can write. Therefore you need only spend the time to figure out where the encryption key is being stored and what kind of encryption the browser is employing to encrypt your password. When your mail client or chat client are remembering your passwords, it's no different. We could have a lengthy debate about whether 'remember your password' should be allowed but apparently the majority of users are okay with it considering the convenience it grants them. If they use the same machine to surf malicious websites, this makes it easier for malware to steal the passwords than a complex keylogging system ... and I guess people who click "Remember this password" are just fine with that prospect.

A few simple lines of code later and you too can write your own command line password discovery tool. Slap a seksi user interface on that and apparently you can sell it for $49.

Re:Prettier Tool, Old Exploit

[ShadowRangerRIT]

This is of course why Firefox (and I presume a few other browsers) have the option to protect your password cache with a master password. Instead of remembering every single user name and password, you can store them all behind encryption, but the key for this encryption is in your head, not the disk. Obviously still open to exploits if you're infected (pop up a fake window requesting the master password, hook the browser itself and read the keystrokes passed to it, etc.), but virtually any exploit that can grab the master password could grab the real passwords anyway, so the distinction is trivial. As long as your master password isn't "12345" of course.

Re:Prettier Tool, Old Exploit

[stonewallred]

WTF!!! How did you find out my master password??!!?!?!

Re:Prettier Tool, Old Exploit

[Cryacin]

What? That's the same combination as my luggage.

Re:Prettier Tool, Old Exploit

[Yvan256]

http://bash.org/?244321.

Re:Prettier Tool, Old Exploit

[ShadowRangerRIT]

Which is why I didn't belabor it, or introduce it out of context. I was pointing out that Firefox's scheme is only as secure as the master password you choose. The particular bad password I chose for the Spaceballs reference on the hope that it might get a chuckle or trigger a brief moment of pleasant nostalgia, forgetting that on /., every joke must be beaten to death and explained, rehashed, insulted, re-explained by someone who thinks the insult came due to unfamiliarity, etc., until all traces of humor vanish. Oh well...

Hmm... This is an old story, so this probably won't receive any mods, but I have no idea what I'd mod it if I were moderating. Flamebait/Insightful/Funny/Interesting/Off-topic maybe? Mods, if you can coordinate to apply each of those once, it would be awesome (and I'd end up with overall neutral Karma!). :-)

Slashvertisment if EVER I saw one.

[richy+freeway]

None of this is new or amazing, I honestly can't believe something as basic as this would make front page news on /.

Check out http://www.nirsoft.net/utils/#password_utils for password recovery tools, for free, that have been available for ages.

Title is Inaccurate

[Cytlid]

It should read "New Tool Reveals Windows Passwords".

Heh

[Pojut]

This reminds me of a tool I used back in the day called "Revelation". You loaded it up, clicked on the "target" icon, then clicked on a password field that was blocked with asterisks instead of displaying the password. The "hidden" password would appear in the "Revelation" box, allowing you to see what it was.

This was how I discovered the password for our dial-up internet back when I was in middle school in the mid-90's. My mom entered the password, and usually waited until it connected...but one time she slipped up, and left before it connected. I hit "cancel", and sure enough the password was still there, just blocked by asterisks. Thanks to "Revelation", I got it and was able to log in during the middle of the night, chatting it up on Yahoo and working on my Angelfire web page.

Ah, memories...

Sigh.

[Spyware23]

This isn't anything like Cain & Abel or 1000+ other tools did before for OVER TEN FSCKING YEARS. If slashdot ever posts "news" from sites like securityweek again I might cancel my newsletter subscription. Tip: security knowledge comes from security related blogs/forums (ie. hackers), not "news" websites which place more product placement than news.

Requesting delete because that VB.NET tool doesn't deserve the bandwidth it will cost.

Which is this?

[tverbeek]

Is this an alert or an advert? ;)

Re:Solve the problem

[L4t3r4lu5]

Further, "CmdrTaco! Look out! kdawson has stolen your password using this tool and is posting inflammatory and poorly researched crap using your account!"

I'm glad they finally figured this out.

[hilather]

I was beginning to think IE cache was unbreakable...