Passwords, passwords, passwords. We’ve come to a point where it’s impossible to have a life online without a gazillion passwords, which should all be complicated, long and unique. The easiest way to solve this is by letting the browser store the passwords for you. You make up something random, and let the browser remember it for you. But are the browsers safe? Can someone extract out the passwords forensically? According to the RaiderSec blog: if you use Firefox and use a strong master password, then you are safe (for now!). If you use IE then the difficulty in obtaining the password is dependent on the version. However if you use Chrome, you are, quite frankly, screwed.
The problem with Chrome is that password is encrypted using a call to the Windows API function CryptProtectData. According to the Microsoft page; “Typically, only a user with the same logon credential as the user who encrypted the data can decrypt the data. In addition, the encryption and decryption usually must be done on the same computer“. Easy peasy, just run the Windows API function CryptUnprotectData on the password! This is easily done with Python’s Win32 library, and has conveniently already been scripted and is available on GitHub! The script goes through each stored password, decrypts them and prints out the corresponding URL and username too. Malware can quite easily take advantage of this at they tend to run in the user context. Oh dear! It might well be a secure browser, but the way it stores your passwords is definitely not!