The latest update to Elcomsoft Distributed Password Recovery added eight additional password management tools to the list of supported data formats. The software can now attack master passwords protecting databases from Bitwarden, Dropbox Passwords, Enpass, Kaspersky, Keeper, Roboform, Sticky Password, and Zoho Vault password managers. Let’s talk about password managers – and how to handle them in a forensic lab.

Password managers are either stand-alone apps or browser extensions originally designed to solve the long-standing problem of password reuse. The idea is that, instead of relying on memory or sticky notes, users can store all of their credentials in an encrypted database, unlocking it with a single master password. Modern password managers also integrate and sync across platforms, making it easy to generate, store, synchronize and autofill strong, unique passwords on desktop and mobile devices. This approach reduces the risk of account compromise from password reuse and encourages better security hygiene overall – but there is one important drawback: the single master password becomes the single weak point as well.

The convenience of a single master password is also a potential weakness. If that one key is compromised – whether through a leak, phishing, or brute-force attacks, – an attacker can unlock the entire vault and gain access to every stored credential. The situation is especially critical on mobile devices, where users tend to pick simpler master passwords for everyday convenience. In this way, password managers simultaneously strengthen overall account security while concentrating risk into a single point of failure.

Elcomsoft Distributed Password Recovery supports a number of popular password management apps. The recent update added eight more, expanding beyond the traditional big names such as 1Password, LastPass, Dashlane, and KeePass. The newly supported tools include Bitwarden, Dropbox Passwords, Enpass, Kaspersky, Keeper, Roboform, Sticky Password, and Zoho Vault. Once the master password is recovered, investigators gain access to the entire vault of stored credentials, making these additions highly significant.

Among the new arrivals, Bitwarden stands out as one of the most popular free, open-source solutions with broad cross-platform support and widespread use in both consumer and enterprise environments. Other supported apps cover a wide range of audiences – from business-focused solutions such as Zoho Vault to long-standing consumer tools like Roboform and Sticky Password.

How to use

Working with Elcomsoft Distributed Password Recovery to attack password manager databases involves three main steps:

1. Extract and copy the password database

The first step is obtaining the password database file from the target system. Each supported password manager stores its data in a specific location:

• Bitwarden
  • Windows local account:

    %USERPROFILE%\AppData\Roaming\Bitwarden\data.json

  • Chromium-based Browser Extensions:

    %USERPROFILE%\AppData\Local\Microsoft\Edge\User Data\Default\Local Extension Settings\jbkfoedolllekgbhcbcoahefnbanhhlh
    %USERPROFILE%\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb

  • Firefox Browser Extensions:

    %USERPROFILE%\AppData\Roaming\Mozilla\Firefox\Profiles\4gh7gwgh.default-release\storage\default\moz-extension+++39ba7978-e1be-4990-b48d-00c0ff8362f3^userContextId=4294967295\idb\3647222921wleabcEoxlt-eengsairo.sqlite

• Dropbox Passwords
  • Edge Browser Extensions:

    %USERPROFILE%\AppData\Local\Microsoft\Edge\User Data\Default\Local Extension Settings\fpkmflnbcknhlogdhofdmneejiijefch\..Extension storage

  • Chrome Extensions:

    %USERPROFILE%\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bmhejbnmpamgfnomlahkonpanlkcfabg\..Extension storage

  • Firefox Browser Extensions:

    %AppData%\Mozilla\Firefox\Profiles\revl980y.default-release\storage\default\moz-extension+++7b48bf6a-db2b-4f1e-a3d9-31dd3d026c68^userContextId=4294967295\idb\3647222921wleabcEoxlt-eengsairo.sqlite

• Enpass
  • Windows:

    %APPDATA%\Roaming\Sinew Software Systems Pvt Ltd\Enpass\Vaults\primary\vault.json
    %APPDATA%\Roaming\Sinew Software Systems Pvt Ltd\Enpass\Vaults\primary\vault.enpassdb

• Kaspersky
  • Windows:

    %LocalAppData%\Kaspersky Lab\Kaspersky Password Manager\kpm_vault.edb

• Keeper
  • Windows:

    %LocalAppData%\Packages\KeeperSecurityInc.KeeperPasswordManager_zwgt23r867e2p\AppData\Keeper Password Manager\IndexedDB\file__0.indexeddb.leveldb

• Roboform
  • Windows:

    %USERPROFILE%\AppData\Local\RoboForm\Profiles\Default Profile\_app-data.rfo

• Sticky Password
  • Windows:

    %LocalAppData%\Lamantine\StickyPassword\default.spdb

• Zoho Vault
  • Input file:

    XML

2. Extract encryption metadata with Elcomsoft Hash Extractor (EHE)

Once the database is located, open it in Elcomsoft Hash Extractor (EHE), a companion tool bundled with Elcomsoft Distributed Password Recovery. EHE processes the database and produces a much smaller file containing only the necessary encryption metadata (the password hash).

3. Run the attack in Elcomsoft Distributed Password Recovery

The final step is to open the EHE-produced file in Elcomsoft Distributed Password Recovery (see Password Reuse vs. Master Password: Two Sides of Password Managers). From there, you can configure and launch an attack, leveraging CPU and GPU acceleration or even distributing the workload across multiple machines to maximize performance.