SyntaxFix

[security] Where does Internet Explorer store saved passwords?

Where does Internet Explorer store saved passwords?

And since this is a programming site, I'm not literally asking for the location where IE stores passwords, but which API IE uses to save passwords.

At first I assumed that Microsoft was using the standard api:

which is used to save domain and generic program/web-site credentials.

CredRead/CredWrite then turn around around and use:

to encrypt data with the current user's account. CredRead/CredWrite then store the data in some magical location, contents of which you can see from the Control Panel:

enter image description here

But I don't see IE passwords in there. So IE doesn't store passwords using CredRead/CredWrite.

What API does IE use to store passwords, and if it uses CryptProtectData, where does it then store the protected data?

Edit: The reason I ask needs no explanation (since it's pretty obvious), but it's because I might want to use the same mechanism.

This question is related to security internet-explorer passwords password-protection

The answer is

I found the answer. IE stores passwords in two different locations based on the password type:

  • Http-Auth: %APPDATA%\Microsoft\Credentials, in encrypted files
  • Form-based: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\IntelliForms\Storage2, encrypted with the url

From a very good page on NirSoft.com:

Starting from version 7.0 of Internet Explorer, Microsoft completely changed the way that passwords are saved. In previous versions (4.0 - 6.0), all passwords were saved in a special location in the Registry known as the "Protected Storage". In version 7.0 of Internet Explorer, passwords are saved in different locations, depending on the type of password. Each type of passwords has some limitations in password recovery:

  • AutoComplete Passwords: These passwords are saved in the following location in the Registry: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\IntelliForms\Storage2 The passwords are encrypted with the URL of the Web sites that asked for the passwords, and thus they can only be recovered if the URLs are stored in the history file. If you clear the history file, IE PassView won't be able to recover the passwords until you visit again the Web sites that asked for the passwords. Alternatively, you can add a list of URLs of Web sites that requires user name/password into the Web sites file (see below).

  • HTTP Authentication Passwords: These passwords are stored in the Credentials file under Documents and Settings\Application Data\Microsoft\Credentials, together with login passwords of LAN computers and other passwords. Due to security limitations, IE PassView can recover these passwords only if you have administrator rights.

In my particular case it answers the question of where; and I decided that I don't want to duplicate that. I'll continue to use CredRead/CredWrite, where the user can manage their passwords from within an established UI system in Windows.

No guarantee, but I suspect IE uses the older Protected Storage API.

Short answer: in the Vault. Since Windows 7, a Vault was created for storing any sensitive data among it the credentials of Internet Explorer. The Vault is in fact a LocalSystem service - vaultsvc.dll.

Long answer: Internet Explorer allows two methods of credentials storage: web sites credentials (for example: your Facebook user and password) and autocomplete data. Since version 10, instead of using the Registry a new term was introduced: Windows Vault. Windows Vault is the default storage vault for the credential manager information.

You need to check which OS is running. If its Windows 8 or greater, you call VaultGetItemW8. If its isn't, you call VaultGetItemW7.

To use the "Vault", you load a DLL named "vaultcli.dll" and access its functions as needed.

A typical C++ code will be:

hVaultLib = LoadLibrary(L"vaultcli.dll");

if (hVaultLib != NULL) 
{
    pVaultEnumerateItems = (VaultEnumerateItems)GetProcAddress(hVaultLib, "VaultEnumerateItems");
    pVaultEnumerateVaults = (VaultEnumerateVaults)GetProcAddress(hVaultLib, "VaultEnumerateVaults");
    pVaultFree = (VaultFree)GetProcAddress(hVaultLib, "VaultFree");
    pVaultGetItemW7 = (VaultGetItemW7)GetProcAddress(hVaultLib, "VaultGetItem");
    pVaultGetItemW8 = (VaultGetItemW8)GetProcAddress(hVaultLib, "VaultGetItem");
    pVaultOpenVault = (VaultOpenVault)GetProcAddress(hVaultLib, "VaultOpenVault");
    pVaultCloseVault = (VaultCloseVault)GetProcAddress(hVaultLib, "VaultCloseVault");

    bStatus = (pVaultEnumerateVaults != NULL)
        && (pVaultFree != NULL)
        && (pVaultGetItemW7 != NULL)
        && (pVaultGetItemW8 != NULL)
        && (pVaultOpenVault != NULL)
        && (pVaultCloseVault != NULL)
        && (pVaultEnumerateItems != NULL);
}

Then you enumerate all stored credentials by calling

VaultEnumerateVaults

Then you go over the results.

Source: Stackoverflow.com

Examples related to security

Monitoring the Full Disclosure mailinglist Two Page Login with Spring Security 3.2.x How to prevent a browser from storing passwords JWT authentication for ASP.NET Web API How to use a client certificate to authenticate and authorize in a Web API Disable-web-security in Chrome 48+ When you use 'badidea' or 'thisisunsafe' to bypass a Chrome certificate/HSTS error, does it only apply for the current site? How does Content Security Policy (CSP) work? How to prevent Screen Capture in Android Default SecurityProtocol in .NET 4.5

Examples related to internet-explorer

Support for ES6 in Internet Explorer 11 The response content cannot be parsed because the Internet Explorer engine is not available, or Flexbox not working in Internet Explorer 11 IE and Edge fix for object-fit: cover; "Object doesn't support property or method 'find'" in IE How to make promises work in IE11 Angular 2 / 4 / 5 not working in IE11 Text in a flex container doesn't wrap in IE11 How can I detect Internet Explorer (IE) and Microsoft Edge using JavaScript? includes() not working in all browsers

Examples related to passwords

Your password does not satisfy the current policy requirements Laravel Password & Password_Confirmation Validation Default password of mysql in ubuntu server 16.04 mcrypt is deprecated, what is the alternative? What is the default root pasword for MySQL 5.7 MySQL user DB does not have password columns - Installing MySQL on OSX Changing an AIX password via script? Hide password with "•••••••" in a textField How to create a laravel hashed password Enter export password to generate a P12 certificate

Examples related to password-protection

SQLite with encryption/password protection How do you use bcrypt for hashing passwords in PHP? Easy way to password-protect php page Where does Internet Explorer store saved passwords? HTTP authentication logout via PHP Removing the password from a VBA project

Tags

Spawn Applicationsettingsbase Intrusive-containers True-type-fonts Coding-efficiency Billing Bloom Git-reset Vptr Compile-time-weaving Asdf Ad-management Usbserial Mosix Newsletter Yetanotherforum Font-replacement Windows-xp-sp2 High-speed-computing Gnuradio Jsdt Dot-operator .net-reflector Ruby-ripper Eager Canoo Elevated-privileges Profiler Installshield-2008 Opencascade Nmea Geodesic-sphere Login-system Mds-cs Campfire Irrlicht Esent Octest Directinput Sqldatasource Levenshtein-distance Alpha-transparency Dialing Where-clause Ssid Openerp Declarative-services Remote-access Mmc Retro-computing Lookbehind Apache-wink Consolas Onavailable Unauthorizedaccessexcepti Time-t Mergesort Tps Background-repeat Route-me Office-pia Radwindow Gamekit Rss Faults Translation-scheme Active-directory Unjar Automount Probing Transducer Organized Opengl-4 Multitouch-keyboard Readerwriterlock Camelcasing Flickrj Dokuwiki Multi-upload Mesh Wsma Stack-based Djgpp Grizzly Semaphore Formsof End-tag Hgsubversion Data-members Odp.net Clonenode Tableadapter Avm2 Temporary-directory Suds Django-custom-tags Icmp Getscript Datetimepicker Zipoutputstream