[AccessD] OT: browser password fill-in

Andy Lacey andy at minstersystems.co.uk
Fri May 20 01:27:15 CDT 2005 

Thanks for the explanation Bob.

-- Andy Lacey
http://www.minstersystems.co.uk 

> -----Original Message-----
> From: accessd-bounces at databaseadvisors.com 
> [mailto:accessd-bounces at databaseadvisors.com] On Behalf Of 
> Bob Gajewski
> Sent: 20 May 2005 06:06
> To: 'Access Developers discussion and problem solving'
> Subject: RE: [AccessD] OT: browser password fill-in
> 
> 
> Andy
> 
> The stored data isn't necessarily associated with a specific 
> site ... This tool displays the data associated with FIELDS.
> 
> If a webpage input form has a field name ADDRESS2, if you 
> double-click inside the field, a drop-down list shows you all 
> of the data that you have previously input (and saved) to any 
> field of the same name. Or, if you start typing, the field 
> "auto-completes" based on the match(es) from this stored 
> data. Since many sites use common field names (such as 
> 'email', 'address1', 'city', etc), for those you get several 
> stored choices. If the field name is relativley unique (such 
> as 'yahoo_e'), then you will most likely only get one choice.
> 
> This is a read-only tool ... And not one that I have used a 
> lot. But every once in awhile, it helps me find a missing password.
> 
> The main focus of my reply (to JC) was the part about "This 
> data is encrypted using your logon credentials and is stored 
> in a secure portion of the registry. For security reasons, 
> you cannot view the hashed data directly.".
> 
> I also thought he was using IE.
> 
> Bob
> 
> 
> -----Original Message-----
> From: accessd-bounces at databaseadvisors.com
> [mailto:accessd-bounces at databaseadvisors.com] On Behalf Of Andy Lacey
> Sent: Thursday, May 19, 2005 15:44 PM
> To: 'Access Developers discussion and problem solving'
> Subject: RE: [AccessD] OT: browser password fill-in
> 
> Interesting tool Bob but how the hell do you interpret the 
> results? I see hundreds of entries but no idea which website 
> uses which entries.
> 
> -- Andy Lacey
> http://www.minstersystems.co.uk 
> 
> > -----Original Message-----
> > From: accessd-bounces at databaseadvisors.com
> > [mailto:accessd-bounces at databaseadvisors.com] On Behalf Of 
> Asst. Chief
> > R. Gajewski
> > Sent: 19 May 2005 17:34
> > To: 'Access Developers discussion and problem solving'
> > Subject: RE: [AccessD] OT: browser password fill-in
> > 
> > 
> > John (et al):
> > 
> > >From a Google search ...
> > 
> > 
> > Tip of the day: Manage saved passwords Windows XP provides a secure
> > system for storing sensitive data associated with Web pages 
> you visit 
> > using Internet Explorer. This data store includes saved user names, 
> > passwords, and Web form data you "remember" using the AutoComplete 
> > feature in Internet Explorer. Occasionally, people ask me 
> where this 
> > data is stored, assuming (logically) that it has to be 
> saved somewhere 
> > and that these saved passwords could represent a security risk.
> > 
> > Here's the good news: The Protected Storage service, which runs as
> > part of the Local Security Administration subsystem
> > (Lsass.exe) manages this data store. This data is encrypted 
> using your 
> > logon credentials and is stored in a secure portion of the 
> registry. 
> > For security reasons, you cannot view the hashed data directly. 
> > Instead, Windows allows programs to query for specific data. The 
> > Protected Storage service decrypts the data only when it can verify 
> > that the request is accompanied by the correct logon 
> credentials - in 
> > other words, that whoever is making the request is 
> currently logged on 
> > using the same account that was used to store the data.
> > 
> > What happens if you forget a saved password that you use to access a
> > secure Web site? Although you can log on using the saved 
> credentials, 
> > you can't read the password or export it to another program. That's 
> > especially unfortunate if you're switching to a new PC, because the 
> > Files and Settings Transfer Wizard doesn't migrate saved passwords 
> > either.
> > 
> > The solution? Download a copy of the free Protected Storage Explorer
> > (http://www.forensicideas.com/tools.html). This tool queries the 
> > Protected Storage database and dumps its contents into an 
> > Explorer-style window that you can use to browse saved 
> passwords for 
> > e-mail accounts, FTP servers, Web sites, and other normally hidden 
> > locations. You must be logged on to a user account to view 
> saved data 
> > for that account. Needless to say, the existence of a tool 
> like this 
> > should inspire you to lock your computer when you step away 
> from your 
> > desk.
> > 
> > 
> > Regards,
> > Bob Gajewski
> >  
> > 
> > -----Original Message-----
> > From: accessd-bounces at databaseadvisors.com
> > [mailto:accessd-bounces at databaseadvisors.com] On Behalf Of John W.
> > Colby
> > Sent: Thursday, May 19, 2005 12:07 PM
> > To: 'Access Developers discussion and problem solving'
> > Subject: RE: [AccessD] OT: browser password fill-in
> > 
> > Are you being facetious or is there something I should know?
> > 
> > John W. Colby
> > www.ColbyConsulting.com
> > 
> > Contribute your unused CPU cycles to a good cause:
> > http://folding.stanford.edu/
> > 
> > -----Original Message-----
> > From: accessd-bounces at databaseadvisors.com
> > [mailto:accessd-bounces at databaseadvisors.com] On Behalf Of 
> Eric Barro
> > Sent: Thursday, May 19, 2005 11:53 AM
> > To: Access Developers discussion and problem solving
> > Subject: RE: [AccessD] OT: browser password fill-in
> > 
> > 
> > John,
> > 
> > Firefox makes it quite easy to manage that password list. :)
> > 
> > Eric
> > 
> > -----Original Message-----
> > From: accessd-bounces at databaseadvisors.com
> > [mailto:accessd-bounces at databaseadvisors.com]On Behalf Of John W.
> > Colby
> > Sent: Thursday, May 19, 2005 8:43 AM
> > To: 'Access Developers discussion and problem solving'
> > Subject: [AccessD] OT: browser password fill-in
> > 
> > 
> > Does anyone know how password / username fill-in works and
> > specifically where the information is stored by the browser.
> > IOW, as you go out on the web and sites ask for a username and 
> > password, the browser pops up and asks if you want the 
> values stored 
> > so that you don't have to fill them in the next time.  
> Alternately you 
> > are presented a list of usernames and the browser selects the right 
> > password for that username for that site.  All very nice, 
> except the 
> > lists sometimes get whacked, with 7 different usernames 
> never entered 
> > for that web page.  I need to go in and clean up the mess.
> > 
> > I suspect that it is a cookie somewhere but no idea how to 
> find / fix
> > them.
> > 
> > John W. Colby
> > www.ColbyConsulting.com
> > 
> > Contribute your unused CPU cycles to a good cause:
> > http://folding.stanford.edu/
> > 
> > 
> > 
> >  
> > 
> >  
> > ----------------------------------------------------------------
> > The information contained in this e-mail message and any file,
> > document, previous e-mail message and/or attachment transmitted 
> > herewith is confidential and may be legally privileged. It 
> is intended 
> > solely for the private use of the addressee and must not be 
> disclosed 
> > to or used by anyone other than the addressee. If you receive this 
> > transmission by error, please immediately notify the sender 
> by reply 
> > e-mail and destroy the original transmission and its attachments 
> > without reading or saving it in any manner. If you are not the 
> > intended recipient, or a person responsible for delivering 
> it to the 
> > intended recipient, you are hereby notified that any disclosure, 
> > copying, distribution or use of any of the information 
> contained in or 
> > attached to this transmission is STRICTLY PROHIBITED. E-mail 
> > transmission cannot be guaranteed to be secure or error free as 
> > information could be intercepted, corrupted, lost, 
> destroyed, arrive 
> > late or incomplete, or contain viruses. The sender 
> therefore does not 
> > accept liability for any errors or omissions in the 
> contents of this 
> > message, which arise as a result of email transmission. Users and 
> > employees of the e-mail system are expressly required not to make 
> > defamatory statements and not to infringe or authorize any 
> > infringement of copyright or any other legal right by email 
> > communications. Any such communication is contrary to 
> company policy. 
> > The company will not accept any liability in respect of such 
> > communication.
> > 
> > --
> > AccessD mailing list
> > AccessD at databaseadvisors.com 
> > http://databaseadvisors.com/mailman/listinfo/accessd
> > Website: http://www.databaseadvisors.com
> > 
> > 
> > 
> > --
> > AccessD mailing list
> > AccessD at databaseadvisors.com 
> > http://databaseadvisors.com/mailman/listinfo/accessd
> > Website: http://www.databaseadvisors.com
> > 
> > 
> > --
> > AccessD mailing list
> > AccessD at databaseadvisors.com 
> > http://databaseadvisors.com/mailman/listinfo/accessd
> > Website: http://www.databaseadvisors.com
> > 
> 
> --
> AccessD mailing list
> AccessD at databaseadvisors.com 
> http://databaseadvisors.com/mailman/listinfo/accessd
> Website: http://www.databaseadvisors.com
> 
> 
> -- 
> AccessD mailing list
> AccessD at databaseadvisors.com 
> http://databaseadvisors.com/mailman/listinfo/accessd
> Website: http://www.databaseadvisors.com
> 
>

More information about the AccessD mailing list