Extracting and Using Stored Passwords from Web Browsers

July 7th, 2020 by Oleg Afonin
Category: «Elcomsoft News», «Tips & Tricks»

Breaking passwords becomes more difficult with every other update of popular software. Microsoft routinely bumps the number of hash iterations to make Office document protection coherent with current hardware. Apple uses excessive protection of iTunes backups since iOS 10.1, making brute force attacks a thing of the past. VeraCrypt and BitLocker were secure from the get go. However, everything is not lost if you consider human nature.

It’s been 10 years sharp since we released the first version of our password extraction tool, Elcomsoft Internet Password Breaker. The tool (originally named Advanced Internet Explorer Password Recovery) was originally designed to reveal stored authentication credentials (logins and passwords) from Internet Explorer, then dominant Web browser. Later on, we’ve added Outlook and Outlook Express, albeit in a different tool. On July 1, 2010, we integrated those tools into what is known today as Elcomsoft Internet Password Breaker. During the past several years, the increasing demand from the forensic labs made us add a feature allowing to build the complete filtered dictionary of all of the user’s passwords they stored in all Web browsers they had installed and used. This is the only case where we managed to implement the proverbial “one button” solution, as the click on the “Export” button immediately produces a text file with passwords that you can immediately use in a password recovery tool.

Today, Elcomsoft Internet Password Breaker 3.20 can instantly extract stored passwords from a bunch of popular browsers and email clients. This includes the latest versions of Google Chrome, Mozilla Firefox, both versions of Microsoft Edge (universal and Chromium-based), as well as Microsoft Internet Explorer, Opera. Popular email clients such as Windows Mail (Windows 10), Microsoft Outlook and Thunderbird are also supported. Last but not least, we’ve added support for Yandex Browser, Russia’s second most popular desktop Web browser, and two Chinese ones: QQ Browser and UC Browser.

Why would one need the list of passwords stripped of other login credentials?

Various studies show that an average Internet user has more than 30 online accounts. This number is growing year after year. Memorizing several dozen strong, unique passwords (as required by every site’s password policy) increasingly becomes a hassle. Realistically, the user has two choices: either reusing the same password over and over (we wrote about it in How to Break 70% of Passwords in Minutes) or employing some sort of a password manager.

There is no lack of password managers on the market. LastPass, 1Password, Dashline, Keepass, Bitwarden and whatnot have been around for years. Some of these password managers have their share of problems, so many users trust their passwords to their Web browser instead. Web browsers are convenient, often offering convenient cloud sync of the stored passwords across devices. Moreover, we are yet to see a Web browser asking the user to set up a Master Password of any kind.

Does that mean the passwords stored in Web browsers aren’t protected, or are poorly protected? Read Extracting Passwords from Microsoft Edge Chromium to learn about the protection mechanisms manufacturers use to secure the passwords. In a word, the user’s passwords are protected with a AES encryption, while the encryption key is secured by Windows Data Protection API (DPAPI), which, in turn, requires the user’s logon credentials to unlock and decrypt the protected vault.

Yet, even passwords secured with DPAPI can be extracted and used to attack the user’s files, documents and other online accounts.

By the way, Google synchronizes Chrome passwords with a cloud. You can extract Chrome passwords from Google cloud services using Elcomsoft Cloud Explorer.

Apple also synchronizes passwords with a cloud. You can extract Safari passwords from iCloud Drive with Elcomsoft Phone Breaker.

Using Elcomsoft Internet Password Breaker to extract passwords

In order to extract passwords from Web browsers such as Google Chrome, Microsoft Edge or Opera, you must be able to authenticate into the user’s Windows account (with their login and password, Microsoft Account credentials, PIN code or Windows Hello) or hijack an already authenticated session. While analyzing a forensic disk image without knowing the user’s password will not provide access to Chrome/Edge/Opera cached passwords due to DPAPI protection, Mozilla Firefox does not benefit from the same kind of protection. As a result, Firefox passwords can be extracted from a mounted image without knowing the user’s Windows login credentials.

This is going to become the shortest and simplest walkthrough we’ve published in years. To extract passwords from Web browsers, perform the following steps.

  1. Launch Elcomsoft Internet Password Breaker.
  2. To create a filtered dictionary to use with one of our password recovery tools, click the “Export Passwords” button and specify where you want the tool to save the text file to.

REFERENCES:

Elcomsoft Internet Password Breaker

Elcomsoft Internet Password Breaker instantly reveals passwords to Web sites, identities, and mailboxes stored in a variety of applications. Supporting all popular Web browsers and all versions of Outlook Express, Microsoft Outlook, Windows Mail and Windows Live Mail, Elcomsoft Internet Password Breaker helps you retrieve the login and password information to a wide variety of resources.

Elcomsoft Internet Password Breaker official web page & downloads »