Internet Explorer (Auto Complete) stores your passwords unencrypted!
May 22, 2007
When you check the auto-complete option in Windows internet explorer, you just opened yourself up to a mess of potential problems. Internet explorer stores all of the user names and passwords that you tell it to learn, in a single flat-file that is unencrypted and can be easily read by a variety of program.
I was installing a password managing program this morning and during one step of the installation process, I unexpectedly saw that all of my user names and passwords popped up completely visible. What this means is that if someone gained access to your computer, they could have full access to any password that you saved in auto-complete with internet explorer. It wouldn’t take someone with the least bit technically competency to steal all of this information.
As far as data vulnerabilities go, this is about as big as it gets. Imagine that if someone logged onto your computer, they could access your online email, bank account, car insurance, and every other place where you clicked ‘Save Password’.
Do yourself some good and get a password management program, or just remember your passwords. It is so irresponsible for Microsoft to release a new internet browser and not encrypt information like this. Both internet explorer 6 and 7 store passwords without any encryption.
How to store passwords securely in FireFox (FireFox still auto-completes, but password file is encrypted and unreadable).
How to clear passwords in Internet Explorer 6 »
How to clear passwords in Internet Explorer 7 »
UPDATE ON THIS:
Before this gets out of hand, I want to clarify that the passwords are actually not stored in a flat file, but rather in a section of the computer’s registry. They are also not readable under every circumstance, but in my case and probably many other people’s, the user names and passwords can be easily extracted by the correct program. I read an incorrect source, that at the time seemed credible which I will reference if I can find it again. I apologize for the error.
Comments
7 Responses to “Internet Explorer (Auto Complete) stores your passwords unencrypted!”
Got something to say?
Recently Written
- Google Chrome Web Browser
- Using non-core products as a loss leader!
- Don’t lose sales from these 5 stupid mistakes!
- Obfuscate email, but make your self email-able
- Google Introduces Google Checkout Shopping Cart
- Enterprise open source firewall appliance software!
- How to properly use promotional products
- Oh my stock, photos that suck
- Starting a new business, 5 reasons to avoid Microsoft now!
- The myth of tax free internet sales
Categories
- Customer Service
- Development
- General
- Hosting
- Marketing
- Networking
- News
- PPC
- Reviews
- Scripts
- Security
- SEO
- Usability
Archives
- September 2008
- June 2008
- May 2008
- March 2008
- February 2008
- January 2008
- December 2007
- November 2007
- October 2007
- September 2007
- August 2007
- July 2007
- June 2007
- May 2007
- April 2007
- March 2007
- February 2007
- December 2006
- November 2006
- October 2006
- September 2006
- August 2006
Other great websites
- Ecommerce Cache
- Ecommerce Optimization
- Ecommerce Times
- Elastic Path
- GrokDotCom
- Retail Ecommerce
- Smashing Magazine
- vitamin
- Volusion Ecommerce Blog
Your statements are incorrect. Usernames and passwords are stored, encrypted, in the computer registry.
Yes there are programs out there that are able to decrypt the registry to retrieve the passwords, but that does not mean that the data is not encrypted. Unfortunately you have drawn completely wrong conclusions from your experience.
You will find this URL useful in explaining the various ways that passwords are stored:
http://www.nirsoft.net/utils/internet_explorer_password.html
Information about “protected storage”:
http://www.microsoft.com/technet/security/guidance/serversecurity/tcg/tcgch07n.mspx
http://msdn2.microsoft.com/en-us/library/ms533032.aspx
When a user enters information in an INPUT type=text element and submits a form, that information is encrypted and saved in the data store. If the values of the NAME or VCARD_NAME attributes match the data in the data store, that information is provided in the AutoComplete box. A user can quickly travel through an extensive form, because the requested information already is available and only needs to be selected.
[...] Here is the URL:http://www.ecommerce-blog.org/archives/internet-explorer-auto-complete-stores-your-passwords-unencry… [...]
Regardless on whether or not the information is encrypted. This is just one of few reasons to have a password manager. Obviously, you got RoboForm for a single user. There are also are also password management options for businesses. Its just a cheap, easy way to manage all of your passwords and not have to worry about security.
Um, duh. What good would they be if they couldn’t be extracted?
What good are they if they can be that easily extracted. Not much point for a password at all if any program can un-encrypt them.
Some program has to decrypt them (i.e. Internet Explorer) so if one program can do it, all programs can do it. That is, unfortunately, a basic principle of security. In computers, security is based on the user not the program - so if someone else logged onto the computer, they would not be able to decrypt the files — they would need to know your password.
The same is true of Firefox and Opera and basically any program that stores passwords (including “password vaults”).
Anyone who tries to tell you differently is lying to you.