When you type a password into any web form, both Internet Explorer and Firefox prompt whether you would like them to remember your password.
If that’s a personal computer, chances are high that you will click Yes and the password is then saved in the web browser.
This “Remember Me” option in web browsers is useful but it actually puts your login credentials at serious risk especially in Firefox.
View stored passwords in Internet Explorer:
Though IE stores your passwords in encrypted form in the Windows Registry database, anyone can easily view your passwords using a free 35kb tool called IE PassView.
The tool automatically displays a list all auto-complete entries saved inside IE. See screenshot.
View stored passwords in Firefox:
With Firefox, it gets much simpler and anyone who knows how to use a mouse can see all your passwords stored inside Firefox.
The route is Tools -> Options -> Security -> Show Passwords. And there you have all the passwords that you ever asked Firefox to remember for you.
Even that short visit to a nearby coffee vending machine could leak your identity as all it takes is few seconds for anyone to view your secret passwords.
To keep yourself safe, uncheck “Prompt me to save passwords” in Internet Explorer and “Set Master Password” in Firefox.
Related: Recover Google Talk or Yahoo! Messenger Passwords
Find this article at: http://www.labnol.org/software/browsers/view-stored-password-firefox-internet-explorer/1906/
web: http://www.labnol.org/ email: amit@labnol.org
Reader Comments
Yes but that’s exactly why Windows NT has the concept of user profiles. Then your passwords cannot be stolen SO easily. Doesn’t Firefox also have profiles? Users can also use Encrypting File System for additional security.
Written by anonymous on 12.10.07
For Firefox: Using a master password will require you to enter the master password for both adding to the saved passwords and viewing them. Thus more secure than you described above. However, a tool similar to IE Passview is sure to exist.
Written by Buzz McBuzz on 12.10.07
Of course, finishing the article before posting a comment would have revealed that same info.
Written by Buzz McBuzz on 12.10.07
As you probably know I’ve covered passwords several times on Significant Figures and coincidentally had discussed Firefox security in a post scheduled to appear today. The show passwords trick only works if you’ve actually “logged in”, but the crackers work regardless. Anyway, I reviewed passpack briefly on the site, that is a possible secure method of saving your info without compromising security
db
Written by David Bradley on 12.10.07
I need a little clarification here.
The post is talking about the risk of leaking passwords to someone when he/she has the actual privilege to the computer and hence the stored info in web browser. I hope the IE Pass View tool is not accessible to anyone on the internet when I am logged onto the internet….
Can the info stored in my web browsers be hacked on by anyone without my knowledhe when I am online? is that what IE pass tool is about?
As far as access to a personal computer is concerned, I would think that the user account should be password protected and it should start from the welcome screen requiring password when the computer has been inactive for say 2 -5 mins or more .
also one can press the shortcut keys Windows + L on key board to immediately lock the working computer screen when leaving the computer even for a minute…
Please let us know,
and also can the responses to this comments be directly seen in my RSS feeds ? is there an option for RSS feeds for comments for this post. Thanks very much…
Written by Gaurav on 12.10.07
Its great to know how stored passwords can be viewed in IE :)
Written by Shweta Gupta on 12.10.07
Hello? Hello? Is anyone home? Oh no, breaking news, if passwords are saved in such a way that they can be accessed later, THEY CAN BE ACCESSED LATER! WHO WOULD EVER HAVE GUESSED?
Excuse me? THAT’S THE WHOLE POINT, PEOPLE!
And yeah, go use EFS if you’re worried about someone stealing your hard drive. If it’s the sysadmin you don’t trust, EFS is useless because they could just install a keylogger - you’re screwed if you don’t trust the sysadmin.
Written by Chris on 12.10.07
This is hogwash.
ANYTHING can happen to a computer left unattended. It’s not the software’s fault, it’s the user’s fault for not locking the computer.
Written by bendodge on 12.10.07
what about Opera and Safari?
Written by anonymous_coward on 12.11.07
Right pointed out amit. I had observed it a month ago and since then I stopped the remember password tool itself. Firefox must fix this bug.
Written by Rajeev Hirani on 12.11.07
“Even that short visit to a nearby coffee vending machine could leak your identity as all it takes is few seconds for anyone to view your secret passwords”
Personnaly, I always lock my computer in such cases. IE & firefox password are not the biggest problems. Think about your corporate or personal messaging system…
It takes only 500ms to press Win+L !!!
For me, it is pebkac problem.
Written by Panda on 12.11.07
You could still password protect your passwords with a master password.
Written by Fazlul Fazal on 12.11.07
Hmmm.
How about an article describing how other people can delete your files/change your desktop wallpaper/rewrite your blog, if you just walk away from the computer while logged on?
Written by Mark Wallace on 12.11.07
Nice way to see IE Passwords, Thanks for sharing:)
Written by Muhammad Azeem on 12.11.07
Nice article amit. Btw, use this tech if you want to, but always keep your computers locked while you are away.
Written by Syahid Ali on 12.11.07
Well, this is simply HOAX. Don’t mind this article.
Written by hugo on 12.11.07
Well DUH! Lock your computer before running off to the twinkie machine, keyboard-hopper.
Written by Dan C on 12.11.07
Healthy companies have a culture in which people who leave their machine unlocked and unattended even for the short time it takes to grab a cup of coffee return to find all manner of prank has been committed against that computer. Maybe the desktop pattern or the beep sound has been changed to something ugly or embarrassing or confusing. Maybe the computer has been used to send email to the whole company announcing the person is an idiot. This sort of thing is the only way people learn basic principles of security.
Written by pete on 12.11.07
I used to have a little gadget on a floppy (back in the Win 3.11 days) that turned the monitor display upside down, and left it that way, even after the program was shut down and the floppy had been removed.
I couldn’t describe how much fun I had with that.
Written by Mark Wallace on 12.11.07
@Rajeev Hirani: ‘bug’?? Why the hell does this look like a bug? It’s like that by design, the only way to be sure there is no way to see the passwords is NOT LETTING IT STORE THEM.
Written by Nicolas on 12.11.07
Be careful setting master password in firefox.
Once you set it you will be prompted to enter the master password everytime you want firefox to fillin your site password. You might as well fillin the site password yourself and save time.
Also you will find yourself completely helpless if you forget the master password. There is no way of recovering it. Un-installing and re-installing firefox does not reset.
Like this article pointed out, there are softwares out there that can easily crack open any encrypted code.
Bottom line: Do not depend on a third party software tool to remember your passwords. There are other ways. I store my passwords in a notepad (online or desktop) with blanks or some kind of a protocol that only you understand. For example, if the password is “1firefox” i would store as 1…x just enough hint to remind me of my password.
Of course if you have 100 different passwords for 100 different sites then you are in trouble remembering them anyways.
Written by prashant on 12.11.07
How about just locking your computer… (Windows Key + L) will do it.
Written by AC on 12.11.07
Seems everyone knows how to lock their computers, wow!
Written by Mayur on 12.14.07
I wonder why this bias towards implying that Firefox is less secure than the exploit-ridden IE…
“With Firefox, it gets much simpler”.
- Nope, it doesn’t! You you TRY to access the passwords dialog box, you’re PROMPTED to type the master password, EVEN if you had just used it to log into some site. If you then want to SHOW the passwords, you’re prompted AGAIN for the master password.
So, if nothing else, it’s SAFER to actually use this password save feature: at least you won’t get caught typing your REAL site password by a key-logger: all he’ll get is your Firefox master password, NOT the one needed to access the site.
And, of course, if you use a public PC, you’d have to be a complete moron to actually answer YES to save the password!
Now, if you had instead elaborated on that last sentence (which I and others missed until the 2nd time through your article!), THAT would have been a much more healthier article. Something along the lines of: “If you surf on a public computer, first make sure that option A is set to X so as not to save your passwords”. Something along those lines would be more useful than this article, seeing that many will miss that last sentence and even that sentence doesn’t quite explain it. I mean, if someone doesn’t know how to keep themselves safe, they won’t be learning more from this article. And if they ALREADY know how, then they’ll learn nothing the same!
Written by Fernando Madruga on 12.26.07
I was being a passive reader of your blog, today when I read this article (again) to solve my question, Is there anyway I can change my changed password in FF or IE. I used to have 1234 as previous password which is remembered by FF but can I change password to 6789 , so how can I force FF to remember 6789.
Ed: Ananta - you could go to the Firefox password manager as described in the story above and then delete that password. Now clear your Firefox cache (”Clean Private Data”) and visit that same site again. Type the password and Firefox will ask you if you would like to save that new password. Should work.
Written by ananta on 01.06.08
Okay, I have a question, I recently deleted some of the saved passwords in firefox, Now i’ve had to re-put my passwords in and this “promt” doesn’t pop up anymore? How do i set it so they save again?? Because myspace has done this too I think i accidently pressed “never on this site” Now the passwords that was saved don’t pop up how do i fix it? any help would be appreciated thanks.
Written by One&Only on 04.12.08
@Whoever said the master password needed to be entered everytime.
It only need to be done ONCE per SESSION (ie once evertime you open firefox)
kthxbye
Written by Anon on 06.18.08