Leave a comment

IEPasswordDecryptor Review: Mining for Passwords with IEPasswordDecryptor

Written by:  • Edited by: Bill Bunter
Updated Dec 31, 2010 • Related Guides: Microsoft | HTML | IE
4

What happens if your favorite protected site begins blocking IE's autocomplete function. And you can't remember the password, since you haven't actually typed it for months? Further, there is no apparent way to recover it. IEPasswordDecryptor may be the answer.

Product Overview

IEPasswordDecryptor is a small, easy to use application which quickly lists all autocomplete passwords stored by Microsoft Internet Explorer. Within seconds, without installing anything, you can retrieve any passwords used to access protected sites.

To review this product, I downloaded a copy--it's free--to my Windows 7 desktop. I used IE 8 as the test browser.

Installation
Rating Excellent

Installation is easy... there is none. Once I downloaded the install package, I unzipped it and immediately ran the application. The initial screen is shown in Figure 1.

Figure 1: Initial Decryptor Screen
click to enlarge
The lack of an install step allows you to place this application on a thumb drive or other external device for easy access to stored autocomplete passwords.

Feature Set
Rating Excellent

There isn't much to say about features. IEPasswordDecryptor does what it says it will do; it displays all autocomplete passwords stored by IE, as shown in Figure 2:

Figure 2: Decryptor Password Listting
click to enlarge
Additional features include (from the product Web site):

  • Recover autocomplete and HTTP basic authentication based passwords form IE version 4.0 to 8.0
  • Reset the IE Content Advisor password
  • Export decrypted password list to text or HTML files
  • Display Web sites stored by IE history along with option to add/remove entries (see Figure 3)
  • Export IE history to HTML file
  • Sort the password and history entries

Figure 3: Decryptor Site History Listing
click to enlarge

My biggest problem, which I quickly figured out, was with intermittent autocomplete functionality. No, this isn't an issue with IEPasswordDecryptor. However, I would be much happier this morning if a small note in a small help file would have let me know what to look for.

It seems that autocomplete can be thwarted with a simple HTML setting, as shown in Figure 4.

Figure 4: Autocomplete Off
click to enlarge
This HTML source is from a bank Web site at which I was unable to use autocomplete. Note the "off" parameter at the red arrow. Including this in a form helps prevent the risky user behavior of saving passwords locally for form auto-fill. This isn't as big a problem as it might seem. Most users use the same one or two passwords on all sites. So all you really need is to retrieve any autocomplete passwords for supported sites. As shown in Figure 2 (yellow arrows), this user used the same password for the first two listed items. Chances are it is used on a score of other, unlisted sites as well.

Cost
Rating Excellent

No issues here. It's free.

The Final Word

IEPasswordDecryptor is an excellent product if you must retrieve all IE autocomplete passwords from a user's machine. However, I always have concerns about products like this.

Users don't typically need special software to recover forgotten online passwords. I don't think any of the 30 or so sites I log into lack a way to get a new password or the old password sent if forgotten. So using this for user productivity or convenience seems limited.

So who needs this? Well, someone trying to harvest passwords from someone else's computer seems like a good example. If an attacker has physical access, simply running it from a USB attached storage device and downloading exported results takes less than a minute. This product could also be used as part of a remote attack with exported data sent to the attacker's home server.

Although products like this may have limited use in a business or home environment, they are excellent tools for those on the dark side. So you might want to add the IEPasswordDecryptor executable (IEPasswordDecryptor) to your list of end-user software you want to know about or block for unauthorized users.

But the most interesting thing about this product is the ease with which stored password encryption is hacked. The cracking source, for both site passwords and browser master passwords, is widely available. So the best thing you can do for your IE users is to use centrally controlled settings to disable autocomplete.

Finally, for those like me who rarely use IE, there are versions to recover autocomplete passwords from FireFox and Chrome.

Next Article »
*Read the author's disclosure regarding this content here.
We Also Recommend...
 
blog comments powered by Disqus
Computer Security
FEATURED AUTHORS
Michele McDonough mathewf4rr3l Ravneet Kaur Tolga BALCI
Steve McFarlane Jayant R Row Sandro Gauci Yolander
Most Popular Articles
Email to a friend