Password Secrets of Popular Windows Applications

Introduction

In today's Internet driven world, all of us use one or other applications starting from browsers, mail clients to instant messengers. Most of these applications store the sensitive information such as user name, password in their private location using proprietary methods. This prevents hassle of entering the credentials every time during the authentication. However it is important to know that this secret information if landed in other person's hands either accidentally or by destiny then it can easily put your privacy at risk. Some applications take utmost care to secure these sensitive information from prying eyes. But most applications use simple methods or rather obscure methods to store the credentials which can easily put your privacy in jeopardy as any spyware on your system can easily uncover these secrets. Also it is equally true with any one who has access to your system. In this context, this article is going to throw a light on those dark regions by exposing the secret storage location and encryption mechanism used by most popular applications. It is also going to present the pointers on how one can uncover such passwords using the tools available today. The last section is going to list top password tools which can be used to automatically recover passwords stored by these applications.

Password Secrets of Windows Applications

Here is the list of popular applications falling into various categories such as Internet browsers, Email clients, Instant Messengers etc whose password secrets are exposed below.

Internet Browsers

Firefox Firefox with version 3.5 and earlier stores the sign-on passwords in the 'signons.txt' file located in its profile directory. With version 3.5 onwards Firefox started storing the sign-on passwords in Sqlite database file named 'signons.sqlite'. The passwords stored in this sign-on file are encrypted using Triple-DES followed by BASE64 encoding mechanism. Here is the default location of Firefox profile directory, [Windows XP] C:\Documents and Settings\<user_name>\Application Data\Mozilla\Firefox\Profiles\<random_name>.default [Windows Vista & Windows 7] C:\Users\<user_name>\AppData\Roaming\Mozilla\Firefox\Profiles\<random_name>.default To know how and what information is stored in this encrypted sign-on file, refer to this article page. You can instantly recover all these sign-on passwords using tools such as FirePassword (command line) or FirePasswordViewer (GUI). Firefox provides additional protection option called 'master password' to prevent malicious users from discovering these sign-on passwords. Master password as such is not stored any where directly but it's one way hash and other relevant information is stored in the key3.db file within the profile directory. For more details about it, refer to Firemaster article page. In case you have lost your master password, then you can recover it using FireMaster tool.     Flock Flock browser uses similar storage format & encryption mechanism as Google Chrome. It stores website login passwords in the sqlite database file called 'Login Data' at following profile location. [Windows XP] C:\Documents and Settings\<user_name>\Local Settings\Application Data\Flock\User Data\Default [Windows Vista & Windows 7] C:\Users\<user_name>\Appdata\Local\Flock\User Data\Default Each stored sign-on entry mainly contains website URL, username field id, username, password field id and encrypted password. For complete information on how password is encrypted and other related details, refer to following research article, 'Exposing the Password Secrets of Google Chrome' You can use ChromePasswordDecryptor to recover the stored website login passwords by Flock. By default it sets the profile path of Chrome but you can change it to above profile location of Flock and recover all the stored passwords.      Internet Explorer Internet Explorer stores two types of passwords, sign-on and HTTP basic authentication (generally proxy, router configuration) passwords. IE below version 7 stores both sign-on and HTTP basic authentication passwords in the secure location known as 'Protected Storage' in the following registry location, HKEY_CURRENT_USER\Software\Microsoft\Protected Storage System Provider With version 7 onwards IE uses the new mechanism to store the sign-on passwords. The encrypted password for each website are stored along with hash of the website URL in the following registry location. HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\IntelliForms\Storage2 Also IE 7 onwards, HTTP basic authentication passwords are stored in the 'Credentials store' at following location based on the operating system. [Windows XP] C:\Documents and Settings\[username]\Application Data\Microsoft\Credentials [Windows Vista and Windows 7] C:\Users\[username]\AppData\Roaming\Microsoft\Credentials     Google Chrome Google Chrome stores all sign-on passwords in the sqlite database file called 'Web Data' within the profile directory. Newer version uses 'Login Data' file for storing login passwords. Here is the default location of Chrome profile directory. [Windows XP] C:\Documents and Settings\<user_name>\Local Settings\Application Data\Google\Chrome\User Data\Default [Windows Vista & Windows 7] C:\Users\<user_name>\Appdata\Local\Google\Chrome\User Data\Default     Google Chrome Canary or SXS Google Chrome Canary or SXS is the parallel test version of Chrome which user can download and test, there by helping Google to release stable version of Chrome. Like Chrome, it also stores all sign-on passwords in the sqlite database file called 'Web Data' within the profile directory. Newer version uses 'Login Data' file for storing login passwords. However profile location of Chrome Canary build is slightly different, here it is [Windows XP] C:\Documents and Settings\<user_name>\Local Settings\Application Data\Google\Chrome SXS\User Data\Default [Windows Vista & Windows 7] C:\Users\<user_name>\Appdata\Local\Google\Chrome SXS\User Data\Default Also it uses same storage and encryption mechanism as Chrome. Each stored sign-on entry mainly contains website URL, username field id, username, password field id and encrypted password. For complete information on how password is encrypted and other related details, refer to following research article page, 'Exposing the Password Secrets of Google Chrome' You can use ChromePasswordDecryptor to automatically recover all the stored sign-on passwords by Chrome. By default it sets the profile path of Chrome, here you need to change it to Chrome Canary location as mentioned above.     Opera Opera stores the login passwords in an encrypted format in the 'Magic Wand File' called 'Wand.dat' within its profile directory. This profile path is different for different versions of Opera as shown below. For Opera Version 10 and above [Windows NT/2K/2k3/XP] C:\Documents and Settings\<username>\Application Data\Opera\Opera\wand.dat [Windows Vista/Windows 7] C:\users\<username>\AppData\Roaming\Opera\Opera\wand.dat For Opera Version less than 10 [Windows NT/2K/2k3/XP] C:\Documents and Settings\<username>\Application Data\Opera\Opera\profile\wand.dat [Windows Vista/Windows 7] C:\users\<username>\AppData\Roaming\Opera\Opera\profile\wand.dat Wand file mainly contains website URL, username and password information which are encrypted using Triple-DES algorithm. For more details on how these secrets are encrypted and how to successfully decrypt them, refer to main research article 'Exposing the Secret of Decrypting Opera's Magic Wand'     Safari Safari uses strong storage format and encryption mechanism for securely storing website login passwords. Login passwords along with other information are stored in 'keychain.plist' file at following central location. [Windows XP] C:\Documents and Settings\<user_name>\Application Data\Apple Computer\Preferences [Windows Vista & Windows 7] C:\Users\<user_name>\Appdata\AppData\Roaming\Apple Computer\Preferences The Keychain file uses binary Property List format (typically found in MAC) which contains information such as website server name, user login & encrypted password. Password is encrypted using the Cryptography functions with the salt value to keep it stronger.

Email Clients

ThunderBird ThunderBird stores all remembered email settings along with password into the SQLite database file 'signons.sqlite' in its profile location. The default profile location for different platforms is as follows, [Windows XP] C:\Documents and Settings\<user_name>\Application Data\Thunderbird\Profiles\<random_name>.default [Windows Vista & Windows 7] C:\Users\<user_name>\AppData\Roaming\Thunderbird\Profiles\<random_name>.default     Microsoft Outlook Newer version of Outlook starting from 2002 to latest version 2010, store the passwords (other than exchange server) for various email account such as POP3, IMAP, SMTP, HTTP at following registry location. [Windows NT onwards] HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles [Prior to Windows NT] HKEY_CURRENT_USER\Software\Microsoft\Windows Messaging Subsystem\Profiles Newer versions of Outlook from 2002-2010 stores the Exchange server passwords in 'Credential Store' as it provides better protection over other methods. You can use OutlookPasswordDecryptor or NetworkPasswordDecryptor to recover such passwords. Older versions of Outlook (Outlook Express, 98, 2000 etc) stores the Email configuration information along with encrypted password at following registry location, [For Outlook installed in Internet Mail Only Mode Configuration] HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts [For Outlook in normal mode] HKCU\Software\Microsoft\Internet Account Manager\Accounts     Gmail Notifier Gmail Notifier uses different mechanism to store the Google account password based on IE versions. For IE version 7 onwards, Gmail Notifier stores the password in the 'Windows Credential Store'. This password can be decrypted using CredEnumerate API function. For complete code sample to enumerate and decrypt Google account password from Credential store, read on to this article, 'Exposing Google Password Secrets'.

Instant Messengers

Google Talk (GTalk) Google Talk (GTalk) stores all remembered gmail account information at following registry location. HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts  For each Google account separate registry key is created with the account email id as name under this key. Account password is encrypted and stored in the registry string value named 'pw' within this account registry key. For more information on what mechanism GTalk uses to encrypt the password and how to decrypt it refer to following research article, 'Exposing Google Password Secrets'     Windows Live Messenger Windows Live Messenger stores the account password at 'Credential Store' which provides different mechanisms such as 'Generic', 'Domain Network', 'Domain Visible Network' etc which applications can use to store and retrieve their private credentials. Each such method requires different technique and privilege level to enumerate and decrypt the passwords. Windows Live Messenger uses 'Generic Password' mechanism of 'Credential Store' to store the passwords under the target name 'WindowsLive:name=<email_id>'. To know more about how to recover stored passwords by Live Messenger, read on to this research article, 'Exposing the Password Secrets of MSN/Windows Live Messenger' .     MSN Messneger MSN Messenger also uses 'Credential Store' to securely store the remembered passwords. These passwords are stored as type 'Domain Visible Network' aka '.Net Passport' using the target name as '.Net passport' within the 'Credential Store'. For more details on how MSN Messengers stores the passwords and how to decrypt such passwords using the code example, read on to following research article 'Exposing the Password Secrets of MSN/Windows Live Messenger' You can recover all MSN messenger stored passwords using MSNLivePasswordDecryptor or IMPasswordDecryptor. Related Tools: MSNLivePasswordDecryptor, IMPasswordDecryptor, NetworkPasswordDecryptor     Yahoo Messenger Yahoo Messenger prior to version 7 used to store the password in the registry value 'EOptions String' at following registry location,  HKEY_CURRENT_USER\Software\Yahoo\Pager This password is encrypted and then encoded using Yahoo64 (similar to Base64) algorithm and stored at above location. The actual algorithm and encoding functionality is present in  ycrwin32.dll For version 7 onwards, Yahoo stores the encrypted token derived from username & password in registry value 'ETS' at same registry location. Though you cannot decrypt this token back to the password but you can copy it to another machine and continue to login to Yahoo Messenger. For more interesting details on this password token & authentication mechanism refer to this research paper. (can be found in installed location of Yahoo Messenger). Related Tools: YahooPasswordDecryptor     Skype Skype does not store password directly. Instead it stores the encrypted hash of the password in the 'config.xml' located in Skype's user profile directory. Typical user profile directory for Skype will be as follows, [Windows XP] C:\Documents and Settings\<user_name>\Application Data\Skype\<account_name> [Windows Vista & Windows 7] C:\Users\<username>\AppData\Roaming\Skype\<account_name> This config.xml contains <Credentials2> tag which contains encrypted hash of the password. As per the research paper 'Vanilla Skype' written by Fabrice Desclaux and Kostya Kortchinsky, Skype uses the MD5 hash of string "username\nskyper\npassword" for authentication. If user has set the 'Remember password' option then this MD5 hash is encrypted using AES-256 & SHA-1 algorithms and finally saved into the 'Config.xml' file. Since the HASH of the password is saved, it is not possible to directly get the password. Instead one has to use dictionary or brute force approach to find out the right password from the hash. This approach may take days or months together based on the length & complexity of the password. You can use 'SkypePassword' from Lastbit to recover stored Skype password. Related Tools: SkypePassword by Lastbit     AIM (AOL Instant Messenger) AIM version 6 onwards stores the password at the following registry location,  HKEY_CURRENT_USER\Software\America Online\AIM6\Passwords AIM PRO version uses the different registry location to store the passwords,  HKEY_CURRENT_USER\Software\AIM\AIMPRO\<Account_Name> It uses the Blowfish algorithm to encrypt the password and then encodes it using BASE64 method. The resulting password is saved at above registry location. Version 7+ onwards AIM uses new (yet to be broken ;) ) encryption mechanism with the encrypted username/password being saved in the file 'aimx.bin' at following location [Windows XP] C:\Documents and Settings\<user_name>\Local Settings\Application Data\AIM [Windows Vista & Windows 7] C:\Users\<user_name>\AppData\Local\AIM Internal encryption details are not yet clear but appears to be on the lines of Firefox. Reversing is going on but take a while. I will update the details as I discover more ! You can use Mspass tool from Nirsoft to recover passwords stored by AIM 6.x Related Tools: Mspass by Nirsoft     Trillian [Version 4.21 build 24] - [Version 5.0.0.26] Trillian Astra stores only main account passwords (called as Identity or Astra password) in the 'accounts.ini' file at below mentioned location. But all other IM account passwords (such as Yahoo, Gtalk, AIM, MSN etc) are stored on the servers. [Windows XP] C:\Documents and Settings\<user_name>\Application Data\Trillian\users\global\ [Windows Vista & Windows 7] C:\Users\<username>\AppData\Roaming\Trillian\users\global\ For each account it contains section named '[Account<number>]" under which all information for that account is stored. Username is stored in the field named 'Account=' and password is stored in the field 'Password='. Trillian first performs XOR encoding of the password with standard pattern and then encodes it with BASE64 before storing it. For more technical details on how different versions of Trillian encrypts the password and how we can manually decrypt it, refer to our following research article Exposing the Password Secrets of Trillian You can use TrillianPasswordDecryptor to automatically recover passwords stored by all versions of Trillian. Related Tools: TrillianPasswordDecryptor, IMPasswordDecryptor     Pidgin (Formerly Gaim) Pidgin stores all configured account passwords in the "Accounts.xml" file located at following directory [Windows XP] C:\Documents and Settings\<user_name>\Application Data\.purple [Windows Vista & Windows 7] C:\Users\<username>\AppData\Roaming\.purple Older versions (Gaim) used .gaim folder instead of .purple to store the account details. For each stored account, 'Accounts.xml' file contains the <account> tag, which has sub tags <name> & <password> containing the account email address and password in plain text respectively. You can recover Pidgin passwords using IMPasswordDecryptor. Related Tools: IMPasswordDecryptor     Digsby Newer versions of Digsby (Build 83 - r27225 as of this writing) stores main account password in the 'logininfo.yaml' file at following location, [Windows XP] C:\Documents and Settings\<user_name>\Local Settings\Application Data\Digsby [Windows Vista & Windows 7] C:\Users\<user_name>\AppData\Local\Digsby Digsby stores only main account password locally and all other IM account passwords (such as Yahoo, Gmail, AIM) are stored in the servers. Main Digsby password is encrypted using special algorithm with username, windows product id, install date as key and resulting password is then encoded with BASE64 before storing into the above password file. Earlier versions of Digsby used to save the password in the 'Digsby.dat' file at following location, [Windows XP] C:\Documents and Settings\<user_name>\Application Data\Digsby [Windows Vista & Windows 7] C:\Users\<user_name>\AppData\Roaming\Digsby Earlier Digsby versions used hardcoded string 'foo' as key without BASE64 encoding. For more information how Digsby encrypts the password, how it is stored in its secret file and how one can decrypt it manually, refer to our research article 'Exposing the Password Secrets of Digsby' You can use DigsbyPasswordDecryptor or IMPasswordDecryptor to instantly recover Digsby password for all versions. Related Tools: DigsbyPasswordDecryptor, IMPasswordDecryptor     PaltalkScene PaltalkScene stores main account password at following registry location HKEY_CURRENT_USER\Software\Paltalk\<nick_name> Password is encrypted and stored in the registry value 'pwd' under this key. All other IM passwords such as Gmail, Yahoo, AIM etc are saved under separate sub keys under this registry key. For example Gmail accounts are stored under following registry key, HKEY_CURRENT_USER\Software\Paltalk\<nick_name>\GGL\<gmail_address> All these IM passwords are encoded with BASE64 and stored in 'pwd' registry value. For more technical details on how Paltalk encrypts the password and how can one decrypt this password, refer to our research article, Exposing the Password Secrets of PaltalkScene You can recover main password as well as all the IM passwords stored by Paltalk using PaltalkPasswordDecryptor & IMPasswordDecryptor Related Tools:  PaltalkPasswordDecryptor, IMPasswordDecryptor     Beyluxe Messenger Beyluxe Messenger stores main account password at following registry location HKEY_CURRENT_USER\Software\Beyluxe Messenger\<nick_name> Password for each user is encrypted and stored in the registry value 'password' under this key. For more technical details how Beyluxe encrypts the password and how you can decrypt it manually, refer to the following research article, "Exposing the Password Secrets of Beyluxe Messenger" You can recover all such stored account passwords by Beyluxe Messenger using IMPasswordDecryptor Related Tools:  IMPasswordDecryptor     MySpace IM MySpaceIM is one of the upcoming instant messenger which stores the user account & password details at following location. [Windows XP] C:\Documents and Settings\<user_name>\Application Data\MySpace\IM\users.txt [Windows Vista & Windows 7] C:\Users\<user_name>\AppData\Roaming\MySpace\IM\users.txt The user login email id is stored in clear text where as the password is in encrypted format. The password is encrypted using 'Windows Crypto API' functions and then encoded using BASE64BASE64 and then decrypt it using CryptUnprotectData function. algorithm beforing storing into this file. So in order to decrypt it successfully one has to decode the password using You can use IMPasswordDecryptor to instantly recover stored account passwords by MySpaceIM. Related Tools: IMPasswordDecryptor     Miranda IM Miranda is open source based popular messenger of recent times. Like most instant messengers, Miranda also stores the all user account information including passwords in the profile location. This is to prevent the user from entering the passwords each time. Latest version of Miranda (v0.9.10) stores the user account & password in the profile file at following location [Windows XP] C:\Documents and Settings\<user_name>\Application Data\Miranda\%profile_name%\%profile_name%.dat [Windows Vista & Windows 7] C:\Users\<username>\AppData\Roaming\Miranda\%profile_name%\%profile_name%.dat User can have multiple profiles specific to office or home environment and corresponding account information is stored in the respective profile file. Initial versions of Miranda stored all account information in .dat file directly within the base location as shown below, [Windows XP] C:\Documents and Settings\<user_name>\Application Data\Miranda\<profile_name>.dat [Windows Vista & Windows 7] C:\Users\<user_name>\AppData\Roaming\Miranda\<profile_name>.dat Miranda uses its own proprietary mechanism to encrypt the password before storing into the profile file.  For more details on how Miranda encrypts the password for different protocols and how to decode those secrets refer to following research article,  "Exposing the Password Secrets of Miranda" You can use MirandaPasswordDecryptor to instantly recover all stored account passwords by Miranda. Related Tools: MirandaPasswordDecryptor, IMPasswordDecryptor

Miscellaneous Applications

FileZilla FileZilla stores all account information along with username & password in the "recentservers.xml" file at following location, [Windows XP] C:\Documents and Settings\<user_name>\Application Data\FileZilla [Windows Vista & Windows 7] C:\Users\<username>\AppData\Roaming\FileZilla This xml file contains entry for each ftp server account with tag <server>. For each server entry, there is <user> & <pass> tags which contains user name & password in plain text for corresponding FTP server.   Remote Desktop Remote Desktop stores the saved credentials at 'Credential Store' using the target name as 'LegacyGeneric:target=TERMSRV/<Host_IP_address>'. As many applications use 'Credential Store' to save their passwords, this target name can be used to uniquely identify 'Remote Desktop' stored passwords. For more information on how 'Credential Store' works and how to recover the password, read on to this research article 'Exposing the Secret of Decrypting Network Passwords'     Google Desktop Search 'Google Desktop Search' stores the Google account information in the registry when it is configured to search your Gmail account. Here is the registry location,  HKEY_CURRENT_USER\Software\Google\Google Desktop\Mailboxes\Gmail The above registry key contains the 2 main registry values, 'POP3_name' & 'POP3_credentials''Exposing Google Password Secrets'. You can use GooglePasswordDecryptor tool to instantly recover any such password stored by Google Desktop Search. holding the Google account name & encrypted password respectively. For more details on how to decrypt this password, read on to following research article,     Picasa Picasa stores Google account password information at one of the following registry location. HKEY_CURRENT_USER\Software\Google\Picasa\Picasa2\Preferences HKEY_CURRENT_USER\Software\Google\Picasa\Picasa3\Preferences Some of the early releases of Picasa 3 version used second location, but later switched back to previous location itself. The registry value 'gaiaEmail' contains the Google account id and 'gaiaPass' contains the encrypted password. Picasa versions 2 and 3 uses different encryption mechanisms to store the password. For complete information on how to decrypt stored passwords by different versions of Picasa, read on to article 'Exposing Google Password Secrets'.     TweetDeck TweetDeck is the one of the popular Twitter client which also support other social networking sites such as Facebook, LinkedIn, MySpace, Buzz etc. It is developed using Adobe Air framework and hence it uses 'Encrypted Local Storage' (ELS) mechanism provided by Adobe Air to store all the account credentials. The encrypted password files are stored at following location based on the platform, [Windows XP] C:\Documents and Settings\<user_name>\Application Data\Adobe\AIR\ELS\TweetDeckFast.FFF259DC0CE2657847BBB4AFF0E62062EFC56543.1 [Windows Vista & Windows 7] C:\Users\<user_name>\AppData\Roaming\Adobe\AIR\ELS\TweetDeckFast.FFF259DC0CE2657847BBB4AFF0E62062EFC56543.1 On Windows, Adobe AIR uses DPAPI functions to encrypt the credentials using the 128 bit AES-CBC algorithm. Here is the typical sequence which is generally used to store the secret data. var strToEncrypt:String = "passw0rd"; var myByteArray:ByteArray = new ByteArray(); myByteArray.writeUTFBytes(strToEncrypt); EncryptedLocalStore.setItem("securityxploded", myByteArray); I am still researching on to recover the account passwords stored by TweetDeck. I will update here as I discover more secrets.