[AccessD] OT: browser password fill-in

Andy Lacey andy at minstersystems.co.uk
Thu May 19 14:44:05 CDT 2005


Interesting tool Bob but how the hell do you interpret the results? I see
hundreds of entries but no idea which website uses which entries.

-- Andy Lacey
http://www.minstersystems.co.uk 

> -----Original Message-----
> From: accessd-bounces at databaseadvisors.com 
> [mailto:accessd-bounces at databaseadvisors.com] On Behalf Of 
> Asst. Chief R. Gajewski
> Sent: 19 May 2005 17:34
> To: 'Access Developers discussion and problem solving'
> Subject: RE: [AccessD] OT: browser password fill-in
> 
> 
> John (et al):
> 
> >From a Google search ...
> 
> 
> Tip of the day: Manage saved passwords
> Windows XP provides a secure system for storing sensitive 
> data associated with Web pages you visit using Internet 
> Explorer. This data store includes saved user names, 
> passwords, and Web form data you "remember" using the 
> AutoComplete feature in Internet Explorer. Occasionally, 
> people ask me where this data is stored, assuming (logically) 
> that it has to be saved somewhere and that these saved 
> passwords could represent a security risk.
> 
> Here's the good news: The Protected Storage service, which 
> runs as part of the Local Security Administration subsystem 
> (Lsass.exe) manages this data store. This data is encrypted 
> using your logon credentials and is stored in a secure 
> portion of the registry. For security reasons, you cannot 
> view the hashed data directly. Instead, Windows allows 
> programs to query for specific data. The Protected Storage 
> service decrypts the data only when it can verify that the 
> request is accompanied by the correct logon credentials - in 
> other words, that whoever is making the request is currently 
> logged on using the same account that was used to store the data.
> 
> What happens if you forget a saved password that you use to 
> access a secure Web site? Although you can log on using the 
> saved credentials, you can't read the password or export it 
> to another program. That's especially unfortunate if you're 
> switching to a new PC, because the Files and Settings 
> Transfer Wizard doesn't migrate saved passwords either.
> 
> The solution? Download a copy of the free Protected Storage 
> Explorer (http://www.forensicideas.com/tools.html). This tool 
> queries the Protected Storage database and dumps its contents 
> into an Explorer-style window that you can use to browse 
> saved passwords for e-mail accounts, FTP servers, Web sites, 
> and other normally hidden locations. You must be logged on to 
> a user account to view saved data for that account. Needless 
> to say, the existence of a tool like this should inspire you 
> to lock your computer when you step away from your desk.
> 
> 
> Regards,
> Bob Gajewski
>  
> 
> -----Original Message-----
> From: accessd-bounces at databaseadvisors.com
> [mailto:accessd-bounces at databaseadvisors.com] On Behalf Of 
> John W. Colby
> Sent: Thursday, May 19, 2005 12:07 PM
> To: 'Access Developers discussion and problem solving'
> Subject: RE: [AccessD] OT: browser password fill-in
> 
> Are you being facetious or is there something I should know?
> 
> John W. Colby
> www.ColbyConsulting.com 
> 
> Contribute your unused CPU cycles to a good cause: 
> http://folding.stanford.edu/
> 
> -----Original Message-----
> From: accessd-bounces at databaseadvisors.com
> [mailto:accessd-bounces at databaseadvisors.com] On Behalf Of Eric Barro
> Sent: Thursday, May 19, 2005 11:53 AM
> To: Access Developers discussion and problem solving
> Subject: RE: [AccessD] OT: browser password fill-in
> 
> 
> John,
> 
> Firefox makes it quite easy to manage that password list. :)
> 
> Eric
> 
> -----Original Message-----
> From: accessd-bounces at databaseadvisors.com
> [mailto:accessd-bounces at databaseadvisors.com]On Behalf Of 
> John W. Colby
> Sent: Thursday, May 19, 2005 8:43 AM
> To: 'Access Developers discussion and problem solving'
> Subject: [AccessD] OT: browser password fill-in
> 
> 
> Does anyone know how password / username fill-in works and 
> specifically where the information is stored by the browser.  
> IOW, as you go out on the web and sites ask for a username 
> and password, the browser pops up and asks if you want the 
> values stored so that you don't have to fill them in the next 
> time.  Alternately you are presented a list of usernames and 
> the browser selects the right password for that username for 
> that site.  All very nice, except the lists sometimes get 
> whacked, with 7 different usernames never entered for that 
> web page.  I need to go in and clean up the mess.
> 
> I suspect that it is a cookie somewhere but no idea how to 
> find / fix them.
> 
> John W. Colby
> www.ColbyConsulting.com 
> 
> Contribute your unused CPU cycles to a good cause: 
> http://folding.stanford.edu/
> 
> 
> 
>  
> 
>  
> ----------------------------------------------------------------
> The information contained in this e-mail message and any 
> file, document, previous e-mail message and/or attachment 
> transmitted herewith is confidential and may be legally 
> privileged. It is intended solely for the private use of the 
> addressee and must not be disclosed to or used by anyone 
> other than the addressee. If you receive this transmission by 
> error, please immediately notify the sender by reply e-mail 
> and destroy the original transmission and its attachments 
> without reading or saving it in any manner. If you are not 
> the intended recipient, or a person responsible for 
> delivering it to the intended recipient, you are hereby 
> notified that any disclosure, copying, distribution or use of 
> any of the information contained in or attached to this 
> transmission is STRICTLY PROHIBITED. E-mail transmission 
> cannot be guaranteed to be secure or error free as 
> information could be intercepted, corrupted, lost, destroyed, 
> arrive late or incomplete, or contain viruses. The sender 
> therefore does not accept liability for any errors or 
> omissions in the contents of this message, which arise as a 
> result of email transmission. Users and employees of the 
> e-mail system are expressly required not to make defamatory 
> statements and not to infringe or authorize any infringement 
> of copyright or any other legal right by email 
> communications. Any such communication is contrary to company 
> policy. The company will not accept any liability in respect 
> of such communication.
> 
> --
> AccessD mailing list
> AccessD at databaseadvisors.com 
> http://databaseadvisors.com/mailman/listinfo/accessd
> Website: http://www.databaseadvisors.com
> 
> 
> 
> -- 
> AccessD mailing list
> AccessD at databaseadvisors.com 
> http://databaseadvisors.com/mailman/listinfo/accessd
> Website: http://www.databaseadvisors.com
> 
> 
> -- 
> AccessD mailing list
> AccessD at databaseadvisors.com 
> http://databaseadvisors.com/mailman/listinfo/accessd
> Website: http://www.databaseadvisors.com
> 




More information about the AccessD mailing list