« Crypto Course
password recover update »

password recovery

Three times in as many days, I’ve wanted to recover a forgotten password. Two of these were for websites and the passwords were still stored in a browser (one in Firefox, one in Safari) and one encrypted in a htpasswd file on a server. I have learned a number of things about password storage and password recovery tools in recovering these passwords. Chiefly, it told me that anyone with access to my computer can get these passwords, especially the ones hidden by stars in the browser window like this:

Here is a list, in order of increasing difficulty, of ways to find your own passwords

  1. The Firefox password was easiest to recover. I’m not happy that Firefox, by default, stores passwords in plain text. If you have Firefox, all you do is go to Tools–> options–> privacy and click the password tab. If you click the show passwords button, you will see all your saved passwords. See Securing Firefox Passwords for information about how to correct this. Firefox passwords are also stored in an encrypted form in C:\Documents and Settings\username\Application Data\Mozilla\Firefox\Profiles\xxxxxxx.default
  2. for Safari on a Mac, go to applications –> Utilities –> Keychain Access, enter part of the website’s address into the search field. Double-click one of the results, click “Show password”, enter Admin password and you will see your password for that site. Beats the hell out of calling the bank.
  3. stored in Internet Explorer. IE stores these auto-complete passwords encrypted in the registry. The Internet Explorer developer’s toolbar does not reveal passwords hidden by dots. The Firefox Web Developer Toolbar does. So does the DOM inspector. ( but not if you set the master password!) There are several tools available that say they recover Internet Explorer passwords. I tried the free IEPassView and found it showed me all of my passwords for autocomplete forms and any realm authentications I have done.
  4. Brute Force Password Recovery Tool. This afternoon, I ran John The Ripper against a htpasswd file containing an encrypted password of mine from a year ago. It took nearly two hours, but it returned the password (8 alpha-numeric characters). It works by trying every possible sequence of characters and encrypting each one to see if it matches the string in the file. It is very simple to install and use. In fact, I just typed the following command and it was off and running:
    john htpasswd. This should destroy the myth that breaking an encrypted password or requires any special skill.
  5. RainbowCrack. Haven’t tried this one yet, but it is another brute force approach. This tool generates all the possible string-encrypted string pairs and saving them in big tables known as rainbow tables. When I have an encrypted password to recover, it is just a matter of doing a search across all those huge tables for the encrypted string. This supposed to be much faster than John the Ripper.

This entry was posted on Tuesday, October 24th, 2006 at 1:05 am and is filed under General, firefox, security. You can follow any responses to this entry through the RSS 2.0 feed. You can skip to the end and leave a response. Pinging is currently not allowed.

8 Responses to “password recovery”

  1. Matt J Says:
    October 24th, 2006 at 7:09 am

    This stuff worries me.
    Do you understand what is happening– I log into my bank using Internet Explorer. Everything goes fine but the program always crashes when I either log off or try to close IE. The error reads, ‘The instruction at ‘octal number’ referenced memory at ’same octal number’. The memory could not be ‘read’. Click on OK to terminate the program.’ I have switched to firefox for everything else, but with this one account it only works with the security key I have installed on IE.

  2. Tim Says:
    October 24th, 2006 at 9:25 am

    You got me. A google search shows that many people have this problem and there is no one cause or solution.
    If it only happens on that one web site, I would contact the bank because I’m sure they have other customers with the problem.

    Are you are saying the bank won’t allow Firefox or you dont have the password?

  3. Matt J Says:
    October 25th, 2006 at 1:33 am

    I haven’t spent enought time to set up firefox so that it works– I think I need to tell it where the security key is. Its strange that IE only has this problem at the one website in the world that controls access to my paycheck.

  4. Shandy Says:
    January 26th, 2007 at 1:41 pm

    I am trying to access the keychain access and there is no search field, so how do I access a password I have? and the website is in the list and it just has a bunch of random info

  5. Shandy Says:
    January 27th, 2007 at 4:04 pm

    for this one all it says by it is “certificate” is there anyway to get the password?

  6. Tim Says:
    January 27th, 2007 at 6:11 pm

    certificates are a way to store your digital identity. your possession of the certificate is supposed to prove you are you:
    Here is some info about certificates in the mac keychain:
    http://docs.info.apple.com/article.html?path=Mac/10.4/en/mh2045.html

  7. Shandy Says:
    January 27th, 2007 at 10:41 pm

    is there anyway to see my password through the certificate or no?

  8. Tim Says:
    January 28th, 2007 at 9:02 am

    I believe that it is not a password at all, so no.

Leave a Reply