Post Comment

Add To Favorites

Email to Friends

Ezine Ready

Recovering Internet Explorer Passwords: Theory And Practice

By: Ivan Orlov Home | Computers-and-Technology | Data Recovery

Introduction

Types of passwords stored in Internet Explorer

Internet Credentials

AutoComplete data

AutoComplete passwords

FTP passwords

Synchronization passwords

Identities passwords

AutoForms data

Content Advisor password

Brief overview of Internet Explorer password recovery programs

PIEPR - the first acquaintance

Three real-life examples

Recovering current user's FTP passwords

Recovering website passwords from unloadable operating system

Recovering uncommonly stored passwords

Conclusion

Introduction
Nobody will likely dispute the fact that Internet Explorer is today's most popular Web browser. According to the statistics, approximately 70% of online users prefer to use just this program. Arguments about its pros and cons may last forever; still, this browser is the leader of its industry, and this is a fact that requires no proof. Internet Explorer carries several built-in technologies, designed to make average user's life easier. One of them - IntelliSense - is made for taking care of the routine tasks, like the automatic completion of visited webpage addresses, automatic filling of form fields, users' passwords, etc.

Many of today's websites require registration, which means, user would have to enter user name and password. If you use more than a dozen of such websites, you will likely need a password manager. All modern browsers have a built-in password manager in their arsenal, and Internet Explorer is not an odd. Indeed, why would one have to remember yet another password if it is going to be forgotten some time soon anyway? Much easier would be to have browser do the routine work of remembering and storing passwords for you. It's convenient and comfortable.

This would be a totally perfect solution; however, if your Windows operating system crashed or reinstalled not the way it's supposed to be reinstalled, you can easily lose the entire list of your precious passwords. That's the toll for the comfort and convenience. It's good just about every website has a saving 'I forgot password' button. However, this button will not always take your headache from you.

Each software developer solves the forgotten password recovery problem their own way. Some of them officially recommend copying a couple of important files to another folder, while other send all registered users a special utility that allows managing the migration of private data, and the third ones pretend they are not seeing the problem. Nevertheless, the demand creates the offer, and password recovery programs are currently on a great demand.

In this article, let's try to classify types of private data stored in Internet Explorer, look at programs for the recovery of the data, and study real-life examples of recovering lost Internet passwords.

Types of passwords stored in Internet Explorer
Internet Explorer may store the following types of passwords:

Internet Credentials

AutoComplete Data

AutoComplete Passwords

FTP Passwords

Synchronization Passwords for cached websites

Identities Passwords

AutoForms Data

Content Advisor Password

Let's take a closer look at each listed item.

Internet Credentials for websites
Internet credentials mean user's logins and passwords required for accessing certain websites, which are processed by the wininet.dll library. For example, when you try to enter the protected area of a website, you may see the following user name and password prompt (Figure 1).

Web site passwords

Figure 1. Internet Credentials dialog.

If the option 'Remember my password' is selected in that prompt, the user credentials will be saved to your local computer. The older versions of Windows 9... stored that data in user's PWL file; Windows 2000 and newer store it in the Protected Storage.

AutoComplete Data

AutoComplete data (passwords will be covered further) are also stored in the Protected Storage and appear as lists of HTML form field names and the corresponding user data. For example, if an HTML page contains an e-mail address entry dialog: once user has entered his e-mail address, the Protected Storage will have the HTML field name, the address value, and the time the record was last accessed.

The HTML page title and website address are not stored. Is that good or bad? It's difficult to determine; more likely to be good than bad. Here are the obvious pros: it saves free space and speeds up browser's performance. If you think the last note is insignificant, try to imagine how you would have to perform several extra checkups in a multi-thousand (this is not as rare as it may seem to be) auto-fill list.

Another obvious plus is that data for identical by name (and often by subject) HTML form fields will be stored in the same place, and the common data will be used for the automatic filling of such pages. We will see this by this example. If one HTML page contains an auto-fill field with the name 'email', and user entered his e-mail address in that field, IE will put in the storage, roughly, 'email=my@email.com'. From now on, if the user opens another website, which has a page with the same field name 'email', the user will be suggested to auto-fill it with the value that he entered on the first page (my@email.com). Thus, the browser somewhat discovers AI capabilities within itself.

The major drawback of this data storage method comes out of its advantage that we just described. Imagine, user has entered auto-fill data on a webpage. If someone knows the HTML form field name, that person can create his own simplest HTML page with the same field name and open it from a local disk. To uncover the data entered in this field, such person will not even have to connect to the Internet and open the original WWW address.

AutoComplete Passwords

In the case with passwords data, however, as you might have guessed, the data will not be filled in automatically. Since auto-complete passwords are stored along with the Web page name, and each password is bound to only one specific HTML page.

In the new version, Internet Explorer 7, both AutoComplete passwords and data are encrypted completely different; the new encryption method is free from the shortcoming just described (if that can be classified as a shortcoming.)

It is worth noticing that Internet Explorer allows users to manage auto-fill parameters manually, (Figure 2) through the options menu.

Figure 2. Internet Explorer AutoComplete settings.

FTP passwords
FTP site passwords are stored pretty much the same way. It would be relevant to notice that beginning with Windows XP FTP passwords are additionally encrypted with DPAPI. This encryption method uses logon password. Naturally, this makes it much more difficult to recover such lost passwords manually, since now one would need to have the user's Master Key, SID and the account password.

Synchronization Passwords for cached websites
Synchronization passwords free user from having to enter passwords for cached websites (sites set to be available offline.) Passwords of this type are also stored in IE's Protected Storage.
Identities passwords
So are identities passwords. The identity-based access management mechanism is not widespread in Microsoft's products, except, perhaps, Outlook Express.

AutoForms Data

A special paragraph must cover the form auto-fill method, which constitutes a hybrid way of storing data. This method stores the actual data in the Protected Storage, and the URL, which the data belong to, is stored in user's registry. The URL written in the registry is stored not as plaintext - it is stored as hash. Here is the algorithm for reading form auto-fill data in IE 4 - 6:

//Get autoform password by given URL

BOOL CAutoformDecrypter::LoadPasswords(LPCTSTR cszUrl, CStringArray *saPasswords)

{
    assert(cszUrl && saPasswords);

    saPasswords->RemoveAll();

    //Check if autoform passwords are present in registry

    if ( EntryPresent(cszUrl) )

    {

        //Read PStore autoform passwords

        return PStoreReadAutoformPasswords cszUrl,saPasswords);

    }

    return FALSE;

}

//Check if autoform passwords are present

BOOL CAutoformDecrypter::EntryPresent(LPCTSTR cszUrl)

{
    assert(cszUrl);

    DWORD dwRet, dwValue, dwSize=sizeof(dwValue);

    LPCTSTR cszHash=GetHash(cszUrl);

    //problems computing the hash

    if ( !cszHash )

        return FALSE;

    //Check the registry

    dwRet=SHGetValue(HKCU,_T("Software\\Microsoft\\Internet Explorer\\IntelliForms\\SPW"),cszHash,NULL,&dwValue,&dwSize);

    delete((LPTSTR)cszHash);

    if ( dwRet==ERROR_SUCCESS )

        return TRUE;

    m_dwLastError=E_NOTFOUND;

    return FALSE;

}

//retrieve hash by given URL text and translate it into hex format

LPCTSTR CAutoformDecrypter::GetHash(LPCTSTR cszUrl)

{
    assert(cszUrl);

    BYTE buf[0x10];

    LPTSTR pRet=NULL;

    int i;

    if (HashData(cszUrl,buf,sizeof(buf)))

    {

        //Allocate some space

        pRet=new TCHAR [sizeof(buf) * sizeof(TCHAR) + sizeof(TCHAR)];

        if (pRet)

        {

            for ( i=0; i<sizeof(buf); i++ )

            {

                // Translate it into human readable format

                pRet[i]=(TCHAR) ((buf[i] & 0x3F) + 0x20);

            }

        pRet[i]=_T('\0');

        }

        else

            m_dwLastError=E_OUTOFMEMORY;

    }

    return pRet;

}

//DoHash wrapper

BOOL CAutoformDecrypter::HashData(LPCTSTR cszData, LPBYTE pBuf, DWORD dwBufSize)

{
    assert(cszData && pBuf);

    if ( !cszData || !pBuf )

    {

        m_dwLastError=E_ARG;

        return FALSE;

    }

    DoHash((LPBYTE)cszData,strlen(cszData),pBuf,dwBufSize);

    return TRUE;

}

void CAutoformDecrypter::DoHash(LPBYTE pData, DWORD dwDataSize, LPBYTE pHash, DWORD dwHashSize)

{

    DWORD dw=dwHashSize, dw2;

    //pre-init loop

    while ( dw-->0)

        pHash[dw]=(BYTE)dw;

    //actual hashing stuff

    while ( dwDataSize-->0)

    {

        for ( dw=dwHashSize; dw-->0;)

        {

            //m_pPermTable = permutation table

            pHash[dw]=m_pPermTable[pHash[dw]^pData[dwDataSize]];

        }

    }

}

The next, seventh generation of the browser, is most likely going to make this user's data storage mechanism its primary data storage method, declining the good old Protected Storage. Better to say, auto-fill data and passwords, from now on, are going to be stored here.

What is so special and interesting in this mechanism that made MS decide to use it as primary? Well, first of all, it was the encryption idea, which isn't new at all but still simple and genius, to disgrace. The idea is to quit storing encryption keys and generate them whenever that would be necessary. The raw material for such keys would be HTML page's Web address.

Let's see how this idea works in action. Here is IE7's simplified algorithm for saving auto-fill data and password fields:

Save Web page's address. We will use this address as the encryption key (EncryptionKey).

Obtain Record Key. RecordKey = SHA(EncryptionKey).

Calculate checksum for RecordKey to ensure the integrity of the record key (the integrity of the actual data will be guaranteed by DPAPI.) RecordKeyCrc = CRC(RecordKey).

Encrypt data (passwords) with the encryption key EncryptedData = DPAPI_Encrypt(Data, EncryptionKey).

Save RecordKeyCrc + RecordKey + EncryptedData in the registry.

Discard EncryptionKey.

It is very, very difficult to recover password without having the original Web page address. The decryption looks pretty much trivial:

When the original Web page is open, we take its address (EncryptionKey) and obtain the record key RecordKey = SHA(EncryptionKey).

Browse through the list of all record keys trying to locate the RecordKey.

If the RecordKey is found, decrypt data stored along with this key using the EncryptionKey. Data = DPAPI_Decrypt(EncryptedData, EncryptionKey).

In spite of the seeming simplicity, this Web password encryption algorithm is one of today's strongest. However, it has a major drawback (or advantage, depending which way you look at it.) If you change or forget the original Web page address, it will be impossible to recover password for it.

Content Advisor password
And the last item on our list is Content Advisor password. Content Advisor was originally developed as a tool for restricting access to certain websi

Article Source: http://www.eArticlesOnline.com

About the Author:
Ivan Orlov, hief programmer. http://www.passcape.com

Tags: internet, explorer, ie, internet explorer, password, recovery, change, find, forgot, remove, lost, software, reset, cracker, browser, asterisk, decryp

Please Rate this Article

Not yet Rated

Click the XML Icon Above to Receive Data Recovery Articles Via RSS!

Recent Related Articles From Data Recovery

Internet Explorer Password Recovery Program
By: Rashmi | Jul 13th 2009
Internet explorer password recovery recovers and retrieves lost or forgotten IE saved password for any web forms email login accounts. Software provides interactive graphical user interface and successfully shows lost passwords of internet explorer. You can recover and restore any lost or forgotten password ever entered in ... Read
Internet Explorer Password Reset
By: Reset password | Mar 24th 2009
Asterisk password recovery tool allows you to uncover hidden password, identity password or administrator password from internet explorer. IE password retrieval software displays all lost or forgotten saved passwords for email accounts like Gmail. Read
Recover Internet Explorer Password
By: Data Rescue | Aug 25th 2009
Internet, explorer, Password, rescue, tool, retrieve, missing, erased, forgotten, logins, uncover, unmask, recover, hidden, lost, saved, secret, code, email, retrieval, utility, restore, misplaced, reveal, asterisk, string, MSN, Gmail, accounts Read
Recover Lost Password
By: Internet Password Recovery | May 25th 2009
Internet explorer password recovery software retrieves dial up passwords, search engine account, magazine subscription and web forms. IE password restoration utility recovers complex and lengthy passwords hidden behind multilingual symbols. IE password rescue program salvage user records including identity passwords and res ... Read
How To Undelete Internet Explorer History

Internet Explorer builds up a history of the websites you've visited. Every so often, it can pay to clear it out. But what if you do this and didn't mean to? Can you undelete Internet Explorer history?

As always with Windows, there's more than one answer to this question.

The simple one is to u ... Read
How To Troubleshoot Internet Explorer Errors
By: Jules Peters | Nov 18th 2008
The majority of computer users use IE to browse the web. So what if your Internet Explorer suddenly starts having problems? Unexpected crashes, hanging, weird errors... you need a structured approach to analyze and solve IE errors. Read
Internet Explorer - What It Is And Why It Can Be The Cause Of Poor Pc Performance

When you go to surf online, you will find that you click on the Internet Explorer button without thinking about it. You know that it will take you to your home page, but you might not know very much about what it does or what it really is. Read
Change Internet Explorer Proxy Settings
By: Roberto Bell | Mar 15th 2009
Internet Explorer (IE) is a widely used graphical Web browser. If you are just a newbie and IE is not yet installed in your computer, you can go to Microsoft’s website and download the latest version of IE. Read
Turn Off Internet Explorer Proxy Setting Detection
By: Roberto Bell | Mar 16th 2009
If you would like to turn off the Internet Explorer feature that detects the Internet proxy settings, here are the following steps to do so. Read
How To Fix Internet Explorer Errors
By: Quenzoe | Feb 13th 2011
Windows registry cleaner is quite a helpful tool to help fix pc problems such as to fix registry errors and fix internet explorer and other issues which slowing down your pc. Read

eArticlesOnline Authors:

Member login
Submit articles
Sign Up
FAQ
Submission guidelines

Publishers:

Ezine notifications
Article RSS feeds
Terms of service

Everyone:

New stuff
About us
eArticlesOnline blog
Link to us
Contact us
Privacy policy