IEPasswordDecryptor Gathers all Autocomplete Passwords in Seconds
Product Overview
IEPasswordDecryptor is a small, easy to use application which quickly lists all autocomplete passwords stored by Microsoft Internet Explorer. Within seconds, without installing anything, you can retrieve any passwords used to access protected sites.
To review this product, I downloaded a copy--it’s free–to my Windows 7 desktop. I used IE 8 as the test browser.
Installation (5 out of 5)
Installation is easy… there is none. Once I downloaded the install package, I unzipped it and immediately ran the application. The initial screen is shown in Figure 1.
The lack of an install step allows you to place this application on a thumb drive or other external device for easy access to stored autocomplete passwords.
Feature Set (5 out of 5)
There isn’t much to say about features. IEPasswordDecryptor does what it says it will do; it displays all autocomplete passwords stored by IE, as shown in Figure 2:
Additional features include (from the product Web site):
- Recover autocomplete and HTTP basic authentication based passwords form IE version 4.0 to 8.0
- Reset the IE Content Advisor password
- Export decrypted password list to text or HTML files
- Display Web sites stored by IE history along with option to add/remove entries (see Figure 3)
- Export IE history to HTML file
- Sort the password and history entries
My biggest problem, which I quickly figured out, was with intermittent autocomplete functionality. No, this isn’t an issue with IEPasswordDecryptor. However, I would be much happier this morning if a small note in a small help file would have let me know what to look for.
It seems that autocomplete can be thwarted with a simple HTML setting, as shown in Figure 4.
This HTML source is from a bank Web site at which I was unable to use autocomplete. Note the “off” parameter at the red arrow. Including this in a form helps prevent the risky user behavior of saving passwords locally for form auto-fill. This isn’t as big a problem as it might seem. Most users use the same one or two passwords on all sites. So all you really need is to retrieve any autocomplete passwords for supported sites. As shown in Figure 2 (yellow arrows), this user used the same password for the first two listed items. Chances are it is used on a score of other, unlisted sites as well.
Cost (5 out of 5)
No issues here. It’s free.
The Final Word
IEPasswordDecryptor is an excellent product if you must retrieve all IE autocomplete passwords from a user’s machine. However, I always have concerns about products like this.
Users don’t typically need special software to recover forgotten online passwords. I don’t think any of the 30 or so sites I log into lack a way to get a new password or the old password sent if forgotten. So using this for user productivity or convenience seems limited.
So who needs this? Well, someone trying to harvest passwords from someone else’s computer seems like a good example. If an attacker has physical access, simply running it from a USB attached storage device and downloading exported results takes less than a minute. This product could also be used as part of a remote attack with exported data sent to the attacker’s home server.
Although products like this may have limited use in a business or home environment, they are excellent tools for those on the dark side. So you might want to add the IEPasswordDecryptor executable (IEPasswordDecryptor) to your list of end-user software you want to know about or block for unauthorized users.
But the most interesting thing about this product is the ease with which stored password encryption is hacked. The cracking source, for both site passwords and browser master passwords, is widely available. So the best thing you can do for your IE users is to use centrally controlled settings to disable autocomplete.
Finally, for those like me who rarely use IE, there are versions to recover autocomplete passwords from FireFox and Chrome.
