[AccessD] OT: browser password fill-in

John W. Colby jwcolby at colbyconsulting.com
Thu May 19 11:58:17 CDT 2005


Hmmm... It doesn't seem to be used by FireFox though.

John W. Colby
www.ColbyConsulting.com 

Contribute your unused CPU cycles to a good cause:
http://folding.stanford.edu/

-----Original Message-----
From: accessd-bounces at databaseadvisors.com
[mailto:accessd-bounces at databaseadvisors.com] On Behalf Of Asst. Chief R.
Gajewski
Sent: Thursday, May 19, 2005 12:34 PM
To: 'Access Developers discussion and problem solving'
Subject: RE: [AccessD] OT: browser password fill-in


John (et al):

>From a Google search ...


Tip of the day: Manage saved passwords
Windows XP provides a secure system for storing sensitive data associated
with Web pages you visit using Internet Explorer. This data store includes
saved user names, passwords, and Web form data you "remember" using the
AutoComplete feature in Internet Explorer. Occasionally, people ask me where
this data is stored, assuming (logically) that it has to be saved somewhere
and that these saved passwords could represent a security risk.

Here's the good news: The Protected Storage service, which runs as part of
the Local Security Administration subsystem (Lsass.exe) manages this data
store. This data is encrypted using your logon credentials and is stored in
a secure portion of the registry. For security reasons, you cannot view the
hashed data directly. Instead, Windows allows programs to query for specific
data. The Protected Storage service decrypts the data only when it can
verify that the request is accompanied by the correct logon credentials - in
other words, that whoever is making the request is currently logged on using
the same account that was used to store the data.

What happens if you forget a saved password that you use to access a secure
Web site? Although you can log on using the saved credentials, you can't
read the password or export it to another program. That's especially
unfortunate if you're switching to a new PC, because the Files and Settings
Transfer Wizard doesn't migrate saved passwords either.

The solution? Download a copy of the free Protected Storage Explorer
(http://www.forensicideas.com/tools.html). This tool queries the Protected
Storage database and dumps its contents into an Explorer-style window that
you can use to browse saved passwords for e-mail accounts, FTP servers, Web
sites, and other normally hidden locations. You must be logged on to a user
account to view saved data for that account. Needless to say, the existence
of a tool like this should inspire you to lock your computer when you step
away from your desk.


Regards,
Bob Gajewski
 

-----Original Message-----
From: accessd-bounces at databaseadvisors.com
[mailto:accessd-bounces at databaseadvisors.com] On Behalf Of John W. Colby
Sent: Thursday, May 19, 2005 12:07 PM
To: 'Access Developers discussion and problem solving'
Subject: RE: [AccessD] OT: browser password fill-in

Are you being facetious or is there something I should know?

John W. Colby
www.ColbyConsulting.com 

Contribute your unused CPU cycles to a good cause:
http://folding.stanford.edu/

-----Original Message-----
From: accessd-bounces at databaseadvisors.com
[mailto:accessd-bounces at databaseadvisors.com] On Behalf Of Eric Barro
Sent: Thursday, May 19, 2005 11:53 AM
To: Access Developers discussion and problem solving
Subject: RE: [AccessD] OT: browser password fill-in


John,

Firefox makes it quite easy to manage that password list. :)

Eric

-----Original Message-----
From: accessd-bounces at databaseadvisors.com
[mailto:accessd-bounces at databaseadvisors.com]On Behalf Of John W. Colby
Sent: Thursday, May 19, 2005 8:43 AM
To: 'Access Developers discussion and problem solving'
Subject: [AccessD] OT: browser password fill-in


Does anyone know how password / username fill-in works and specifically
where the information is stored by the browser.  IOW, as you go out on the
web and sites ask for a username and password, the browser pops up and asks
if you want the values stored so that you don't have to fill them in the
next time.  Alternately you are presented a list of usernames and the
browser selects the right password for that username for that site.  All
very nice, except the lists sometimes get whacked, with 7 different
usernames never entered for that web page.  I need to go in and clean up the
mess.

I suspect that it is a cookie somewhere but no idea how to find / fix them.

John W. Colby
www.ColbyConsulting.com 

Contribute your unused CPU cycles to a good cause:
http://folding.stanford.edu/



 

 
----------------------------------------------------------------
The information contained in this e-mail message and any file, document,
previous e-mail message and/or attachment transmitted herewith is
confidential and may be legally privileged. It is intended solely for the
private use of the addressee and must not be disclosed to or used by anyone
other than the addressee. If you receive this transmission by error, please
immediately notify the sender by reply e-mail and destroy the original
transmission and its attachments without reading or saving it in any manner.
If you are not the intended recipient, or a person responsible for
delivering it to the intended recipient, you are hereby notified that any
disclosure, copying, distribution or use of any of the information contained
in or attached to this transmission is STRICTLY PROHIBITED. E-mail
transmission cannot be guaranteed to be secure or error free as information
could be intercepted, corrupted, lost, destroyed, arrive late or incomplete,
or contain viruses. The sender therefore does not accept liability for any
errors or omissions in the contents of this message, which arise as a result
of email transmission. Users and employees of the e-mail system are
expressly required not to make defamatory statements and not to infringe or
authorize any infringement of copyright or any other legal right by email
communications. Any such communication is contrary to company policy. The
company will not accept any liability in respect of such communication.

--
AccessD mailing list
AccessD at databaseadvisors.com
http://databaseadvisors.com/mailman/listinfo/accessd
Website: http://www.databaseadvisors.com



-- 
AccessD mailing list
AccessD at databaseadvisors.com
http://databaseadvisors.com/mailman/listinfo/accessd
Website: http://www.databaseadvisors.com


-- 
AccessD mailing list
AccessD at databaseadvisors.com
http://databaseadvisors.com/mailman/listinfo/accessd
Website: http://www.databaseadvisors.com






More information about the AccessD mailing list