[AccessD] OT: browser password fill-in

Bob Gajewski rbgajewski at adelphia.net
Fri May 20 00:06:11 CDT 2005


Andy

The stored data isn't necessarily associated with a specific site ... This
tool displays the data associated with FIELDS.

If a webpage input form has a field name ADDRESS2, if you double-click
inside the field, a drop-down list shows you all of the data that you have
previously input (and saved) to any field of the same name. Or, if you start
typing, the field "auto-completes" based on the match(es) from this stored
data. Since many sites use common field names (such as 'email', 'address1',
'city', etc), for those you get several stored choices. If the field name is
relativley unique (such as 'yahoo_e'), then you will most likely only get
one choice.

This is a read-only tool ... And not one that I have used a lot. But every
once in awhile, it helps me find a missing password.

The main focus of my reply (to JC) was the part about "This data is
encrypted using your logon credentials and is stored in a secure portion of
the registry. For security reasons, you cannot view the hashed data
directly.".

I also thought he was using IE.

Bob


-----Original Message-----
From: accessd-bounces at databaseadvisors.com
[mailto:accessd-bounces at databaseadvisors.com] On Behalf Of Andy Lacey
Sent: Thursday, May 19, 2005 15:44 PM
To: 'Access Developers discussion and problem solving'
Subject: RE: [AccessD] OT: browser password fill-in

Interesting tool Bob but how the hell do you interpret the results? I see
hundreds of entries but no idea which website uses which entries.

-- Andy Lacey
http://www.minstersystems.co.uk 

> -----Original Message-----
> From: accessd-bounces at databaseadvisors.com
> [mailto:accessd-bounces at databaseadvisors.com] On Behalf Of Asst. Chief 
> R. Gajewski
> Sent: 19 May 2005 17:34
> To: 'Access Developers discussion and problem solving'
> Subject: RE: [AccessD] OT: browser password fill-in
> 
> 
> John (et al):
> 
> >From a Google search ...
> 
> 
> Tip of the day: Manage saved passwords Windows XP provides a secure 
> system for storing sensitive data associated with Web pages you visit 
> using Internet Explorer. This data store includes saved user names, 
> passwords, and Web form data you "remember" using the AutoComplete 
> feature in Internet Explorer. Occasionally, people ask me where this 
> data is stored, assuming (logically) that it has to be saved somewhere 
> and that these saved passwords could represent a security risk.
> 
> Here's the good news: The Protected Storage service, which runs as 
> part of the Local Security Administration subsystem
> (Lsass.exe) manages this data store. This data is encrypted using your 
> logon credentials and is stored in a secure portion of the registry. 
> For security reasons, you cannot view the hashed data directly. 
> Instead, Windows allows programs to query for specific data. The 
> Protected Storage service decrypts the data only when it can verify 
> that the request is accompanied by the correct logon credentials - in 
> other words, that whoever is making the request is currently logged on 
> using the same account that was used to store the data.
> 
> What happens if you forget a saved password that you use to access a 
> secure Web site? Although you can log on using the saved credentials, 
> you can't read the password or export it to another program. That's 
> especially unfortunate if you're switching to a new PC, because the 
> Files and Settings Transfer Wizard doesn't migrate saved passwords 
> either.
> 
> The solution? Download a copy of the free Protected Storage Explorer 
> (http://www.forensicideas.com/tools.html). This tool queries the 
> Protected Storage database and dumps its contents into an 
> Explorer-style window that you can use to browse saved passwords for 
> e-mail accounts, FTP servers, Web sites, and other normally hidden 
> locations. You must be logged on to a user account to view saved data 
> for that account. Needless to say, the existence of a tool like this 
> should inspire you to lock your computer when you step away from your 
> desk.
> 
> 
> Regards,
> Bob Gajewski
>  
> 
> -----Original Message-----
> From: accessd-bounces at databaseadvisors.com
> [mailto:accessd-bounces at databaseadvisors.com] On Behalf Of John W. 
> Colby
> Sent: Thursday, May 19, 2005 12:07 PM
> To: 'Access Developers discussion and problem solving'
> Subject: RE: [AccessD] OT: browser password fill-in
> 
> Are you being facetious or is there something I should know?
> 
> John W. Colby
> www.ColbyConsulting.com
> 
> Contribute your unused CPU cycles to a good cause: 
> http://folding.stanford.edu/
> 
> -----Original Message-----
> From: accessd-bounces at databaseadvisors.com
> [mailto:accessd-bounces at databaseadvisors.com] On Behalf Of Eric Barro
> Sent: Thursday, May 19, 2005 11:53 AM
> To: Access Developers discussion and problem solving
> Subject: RE: [AccessD] OT: browser password fill-in
> 
> 
> John,
> 
> Firefox makes it quite easy to manage that password list. :)
> 
> Eric
> 
> -----Original Message-----
> From: accessd-bounces at databaseadvisors.com
> [mailto:accessd-bounces at databaseadvisors.com]On Behalf Of John W. 
> Colby
> Sent: Thursday, May 19, 2005 8:43 AM
> To: 'Access Developers discussion and problem solving'
> Subject: [AccessD] OT: browser password fill-in
> 
> 
> Does anyone know how password / username fill-in works and 
> specifically where the information is stored by the browser.
> IOW, as you go out on the web and sites ask for a username and 
> password, the browser pops up and asks if you want the values stored 
> so that you don't have to fill them in the next time.  Alternately you 
> are presented a list of usernames and the browser selects the right 
> password for that username for that site.  All very nice, except the 
> lists sometimes get whacked, with 7 different usernames never entered 
> for that web page.  I need to go in and clean up the mess.
> 
> I suspect that it is a cookie somewhere but no idea how to find / fix 
> them.
> 
> John W. Colby
> www.ColbyConsulting.com
> 
> Contribute your unused CPU cycles to a good cause: 
> http://folding.stanford.edu/
> 
> 
> 
>  
> 
>  
> ----------------------------------------------------------------
> The information contained in this e-mail message and any file, 
> document, previous e-mail message and/or attachment transmitted 
> herewith is confidential and may be legally privileged. It is intended 
> solely for the private use of the addressee and must not be disclosed 
> to or used by anyone other than the addressee. If you receive this 
> transmission by error, please immediately notify the sender by reply 
> e-mail and destroy the original transmission and its attachments 
> without reading or saving it in any manner. If you are not the 
> intended recipient, or a person responsible for delivering it to the 
> intended recipient, you are hereby notified that any disclosure, 
> copying, distribution or use of any of the information contained in or 
> attached to this transmission is STRICTLY PROHIBITED. E-mail 
> transmission cannot be guaranteed to be secure or error free as 
> information could be intercepted, corrupted, lost, destroyed, arrive 
> late or incomplete, or contain viruses. The sender therefore does not 
> accept liability for any errors or omissions in the contents of this 
> message, which arise as a result of email transmission. Users and 
> employees of the e-mail system are expressly required not to make 
> defamatory statements and not to infringe or authorize any 
> infringement of copyright or any other legal right by email 
> communications. Any such communication is contrary to company policy. 
> The company will not accept any liability in respect of such 
> communication.
> 
> --
> AccessD mailing list
> AccessD at databaseadvisors.com
> http://databaseadvisors.com/mailman/listinfo/accessd
> Website: http://www.databaseadvisors.com
> 
> 
> 
> --
> AccessD mailing list
> AccessD at databaseadvisors.com
> http://databaseadvisors.com/mailman/listinfo/accessd
> Website: http://www.databaseadvisors.com
> 
> 
> --
> AccessD mailing list
> AccessD at databaseadvisors.com
> http://databaseadvisors.com/mailman/listinfo/accessd
> Website: http://www.databaseadvisors.com
> 

--
AccessD mailing list
AccessD at databaseadvisors.com
http://databaseadvisors.com/mailman/listinfo/accessd
Website: http://www.databaseadvisors.com





More information about the AccessD mailing list