SecurityXploded.com  
  
Password Secrets of Popular Windows Applications
 
 
Password Secrets of Popular Windows Applications
 
 
 
See Also
 
 
 
Contents
 
 
Introduction
In today's Internet driven world, all of us use one or other applications starting from browsers, mail clients to instant messengers. Most of these applications store the sensitive information such as user name, password in their private location using proprietary methods. This prevents hassle of entering the credentials every time during the authentication.

Some applications take utmost care to secure these sensitive information but most apps use simple methods or rather obscure methods to store the passwords which can easily expose your secrets to spyware running in the background or anyone who has access to your system.

Password Secrets


In this context, this article is going to expose the secret password storage location and encryption mechanism by most of the popular applications. It is also going to present the pointers on how one can uncover such passwords using the free password tools developed by us.
 
 
 
Password Secrets of Windows Applications
Here is the list of popular applications falling into various categories such as Internet browsers, Email clients, Instant Messengers etc whose password secrets are exposed below.
 
 
Internet Browsers
 
  Avant

Avant Browser is an emerging ultra-fast web browser bringing new level of clarity and efficiency to your browsing experience.

It stores all the web login passwords in the file named 'forms.dat' at below location

[Windows XP]
C:\Documents and Settings\<user_name>\Application Data\Avant Profiles\.default\formdata

[Windows Vista/Windows 7/Windows 8]
C:\Users\<user_name>\Appdata\Roaming\Avant Profiles\.default\formdata

Web login urls and passwords are stored in an encrypted format protected by 32 byte key stored in a file 'forms.dat.vdt'. Key is encrypted using unknown algorithm and stored in BASE64 format.

 
Related Tools: Browser Password Decryptor
 
 
 
  Comodo Dragon

Comodo Dragon is a fast and versatile Internet Browser based on Chromium, with greater level of security & privacy.

It stores all the web login passwords in the sqlite database file called 'Login Data' at below location

[Windows XP]
C:\Documents and Settings\<user_name>\Local Settings\Application Data\Comodo\Dragon\User Data\Default

[Windows Vista/Windows 7/Windows 8]
C:\Users\<user_name>\Appdata\Local\Comodo\Dragon\User Data\Default

It uses same storage format and encryption mechanism as Google Chrome browser.

You can use Comodo Password Decryptor to automatically recover all the stored login passwords by Comodo Dragon browser.

 
Related Tools: Comodo Password Decryptor, Browser Password Decryptor
 
 
 
  CoolNovo (formerly ChromePlus)

CoolNovo (formerly Chrome Plus) is an emerging Chromium based web browser.

It stores all the web login passwords in the sqlite database file called 'Login Data' at below location

[Windows XP]
C:\Documents and Settings\<user_name>\Local Settings\Application Data\MapleStudio\ChromePlus\User Data\Default

[Windows Vista/Windows 7/Windows 8]
C:\Users\<user_name>\Appdata\Local\MapleStudio\ChromePlus\User Data\Default

It uses same storage format and encryption mechanism as Google chrome.

You can use CoolNovo Password Decryptor to automatically recover all the stored login passwords by CoolNovo browser.

 
Related Tools: CoolNovo Password Decryptor,Browser Password Decryptor
 
 
 
  Firefox
Firefox with version 3.5 and earlier stores the sign-on passwords in the 'signons.txt' file located in its profile directory. With version 3.5 onwards Firefox started storing the sign-on passwords in Sqlite database file named 'signons.sqlite'. The passwords stored in this sign-on file are encrypted using Triple-DES followed by BASE64 encoding mechanism.

Here is the default location of Firefox profile directory,
[Windows XP]
C:\Documents and Settings\<user_name>\Application Data\Mozilla\Firefox\Profiles\<random_name>.default

[Windows Vista/Windows 7/Windows 8]
C:\Users\<user_name>\AppData\Roaming\Mozilla\Firefox\Profiles\<random_name>.default
To know how and what information is stored in this encrypted sign-on file, refer to this article page. You can instantly recover all these sign-on passwords using tools such as FirePassword (command line) or FirePasswordViewer (GUI).

Firefox provides additional protection option called 'master password' to prevent malicious users from discovering these sign-on passwords. Master password as such is not stored any where directly but it's one way hash and other relevant information is stored in the key3.db file within the profile directory. For more details about it, refer to Firemaster article page.

In case you have lost your master password, then you can recover it using FireMaster tool.
 
Related Tools: FirePassword, FirePasswordViewer, FireMaster, BrowserPasswordDecryptor
 
 
 
  Flock
Flock browser uses similar storage format & encryption mechanism as Google Chrome.

It stores website login passwords in the sqlite database file called 'Login Data' at following profile location.
[Windows XP]
C:\Documents and Settings\<user_name>\Local Settings\Application Data\Flock\User Data\Default

[Windows Vista/Windows 7/Windows 8]
C:\Users\<user_name>\Appdata\Local\Flock\User Data\Default
Each stored sign-on entry mainly contains website URL, username field id, username, password field id and encrypted password. For complete information on how password is encrypted and other related details, refer to following research article, 'Exposing the Password Secrets of Google Chrome'

You can use ChromePasswordDecryptor to recover the stored website login passwords by Flock. By default it sets the profile path of Chrome but you can change it to above profile location of Flock and recover all the stored passwords.
 
Related Tools: ChromePasswordDecryptor
 
 
 
  Google Chrome
Google Chrome stores all sign-on passwords in the sqlite database file called 'Web Data' within the profile directory. Newer version uses 'Login Data' file for storing login passwords. Here is the default location of Chrome profile directory.
[Windows XP]
C:\Documents and Settings\<user_name>\Local Settings\Application Data\Google\Chrome\User Data\Default

[Windows Vista/Windows 7/Windows 8]
C:\Users\<user_name>\Appdata\Local\Google\Chrome\User Data\Default
Each stored sign-on entry mainly contains website URL, username field id, username, password field id and encrypted password. For complete information on how password is encrypted and other related details, refer to following research article page, 'Exposing the Password Secrets of Google Chrome'

You can use ChromePasswordDecryptor to automatically recover all the stored sign-on passwords by Chrome.
 
Related Tools: ChromePasswordDecryptor, GooglePasswordDecryptor, BrowserPasswordDecryptor
 
 
 
  Google Chrome Canary or SXS
Google Chrome Canary or SXS is the parallel test version of Chrome which user can download and test, there by helping Google to release stable version of Chrome.

Like Chrome, it also stores all sign-on passwords in the sqlite database file called 'Web Data' within the profile directory. Newer version uses 'Login Data' file for storing login passwords. However profile location of Chrome Canary build is slightly different, here it is
[Windows XP]
C:\Documents and Settings\<user_name>\Local Settings\Application Data\Google\Chrome SXS\User Data\Default

[Windows Vista/Windows 7/Windows 8]
C:\Users\<user_name>\Appdata\Local\Google\Chrome SXS\User Data\Default
Also it uses same storage and encryption mechanism as Chrome. Each stored sign-on entry mainly contains website URL, username field id, username, password field id and encrypted password. For complete information on how password is encrypted and other related details, refer to following research article page, 'Exposing the Password Secrets of Google Chrome'

You can use ChromePasswordDecryptor to automatically recover all the stored sign-on passwords by Chrome. By default it sets the profile path of Chrome, here you need to change it to Chrome Canary location as mentioned above.
 
Related Tools: ChromePasswordDecryptor, GooglePasswordDecryptor, BrowserPasswordDecryptor
 
 
 
  Internet Explorer
Internet Explorer stores two types of passwords, sign-on and HTTP basic authentication (generally proxy, router configuration) passwords. IE below version 7 stores both sign-on and HTTP basic authentication passwords in the secure location known as 'Protected Storage' in the following registry location,
HKEY_CURRENT_USER\Software\Microsoft\Protected Storage System Provider
With version 7 onwards IE uses the new mechanism to store the sign-on passwords. The encrypted password for each website are stored along with hash of the website URL in the following registry location.
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\IntelliForms\Storage2
Also IE 7 onwards, HTTP basic authentication passwords are stored in the 'Credentials store' at following location based on the operating system.
[Windows XP]
C:\Documents and Settings\[username]\Application Data\Microsoft\Credentials

[Windows Vista/Windows 7/Windows 8]
C:\Users\[username]\AppData\Roaming\Microsoft\Credentials
For complete details on how IE stores these passwords and how to recover them refer to main article page, 'Exposing the Secrets of Internet Explorer'.

You can instantly recover stored passwords for all versions of IE using the tool, IEPasswordDecryptor.
 
Related Tools: IEPasswordDecryptor, NetworkPasswordDecryptor, BrowserPasswordDecryptor
 
 
 
  Maxthon
Maxthon (version 3.1.7.1000] stores all the web login user accounts including passwords in the file "MagicFill2.dat" at below mentioned location
[Windows XP]
C:\Documents and Settings\<user_name>\Application Data\Maxthon3\Users\<user_name>\MagicFill

[Windows Vista/Windows 7/Windows 8]
C:\Users\Administrator\AppData\Roaming\Maxthon3\Users\<user_name>\MagicFill
This magic file is fully encrypted with unknown algorithm. We will update here as we decipher more information.
 
Related Tools: BrowserPasswordDecryptor
 
 
 
  Opera
Opera stores the login passwords in an encrypted format in the 'Magic Wand File' called 'Wand.dat' within its profile directory. This profile path is different for different versions of Opera as shown below.
For Opera Version 10 and above
[Windows NT/2K/2k3/XP]
C:\Documents and Settings\<username>\Application Data\Opera\Opera\wand.dat

[Windows Vista/Windows 7/Windows 8]
C:\users\<username>\AppData\Roaming\Opera\Opera\wand.dat

For Opera Version less than 10
[Windows NT/2K/2k3/XP]
C:\Documents and Settings\<username>\Application Data\Opera\Opera\profile\wand.dat

[Windows Vista/Windows 7/Windows 8]
C:\users\<username>\AppData\Roaming\Opera\Opera\profile\wand.dat
Wand file mainly contains website URL, username and password information which are encrypted using Triple-DES algorithm. For more details on how these secrets are encrypted and how to successfully decrypt them, refer to main research article 'Exposing the Secret of Decrypting Opera's Magic Wand'

You can use OperaPasswordDecryptor to instantly recover stored passwords from Opera's magic Wand file.
 
Related Tools: OperaPasswordDecryptor, BrowserPasswordDecryptor
 
 
 
  Safari
Safari uses strong storage format and encryption mechanism for securely storing website login passwords. Login passwords along with other information are stored in 'keychain.plist' file at following central location.
[Windows XP]
C:\Documents and Settings\<user_name>\Application Data\Apple Computer\Preferences

[Windows Vista/Windows 7/Windows 8]
C:\Users\<user_name>\Appdata\AppData\Roaming\Apple Computer\Preferences
The Keychain file uses binary Property List format (typically found in MAC) which contains information such as website server name, user login & encrypted password. Password is encrypted using the Cryptography functions with the salt value to keep it stronger.

For complete technical details on encryption and decryption algorithm along with code example, refer to following research article - 'Exposing the Password Secrets of Apple Safari'


You can use SafariPasswordDecryptor to automatically recover all the website login passwords stored by Safari.
 
Related Tools: SafariPasswordDecryptor
 
 
 
  SeaMonkey

SeaMonkey is an emerging mozilla based internet web browser. It uses same password storage format and encryption mechanism as Firefox browser.

SeaMonkey stores user details including saved web login passwords in file called 'signons.sqlite' at following location,

[Windows XP]
C:\Documents and Settings\<user_name>\Application Data\Mozilla\SeaMonkey\Profiles\<random_name>.default

[Windows Vista/Windows 7/Windows 8]
C:\Users\<user_name>\AppData\Roaming\Mozilla\SeaMonkey\Profiles\<random_name>.default

It uses same storage format and encryption mechanism as Firefox.

You can use our tool 'SeaMonkey Password Decryptor' to instantly recover all the web login passwords from SeaMonkey database.


 
Related Tools: SeaMonkeyPasswordDecryptor, BrowserPasswordDecryptor
 
 
 
 
 
 
Instant Messengers
 
  AIM (AOL Instant Messenger)
AIM version 6.x (till v7.2) onwards stores the password at the following registry location,
 HKEY_CURRENT_USER\Software\America Online\AIM6\Passwords
AIM PRO version uses the different registry location to store the passwords,
 HKEY_CURRENT_USER\Software\AIM\AIMPRO\<Account_Name>
Latest version of AIM (v7.5 since v7.3) stores the encrypted username/password in the file 'aimx.bin' at following location
 
[Windows XP]
C:\Documents and Settings\<user_name>\Local Settings\Application Data\AIM

[Windows Vista/Windows 7/Windows 8]
C:\Users\<user_name>\AppData\Local\AIM
 
AIM uses Blowfish encryption algorithm along with Base64 encoding to securely store the login passwords. We will soon write a detailed research article on 'exposing the password secrets of AIM'.

You can use our FREE tool, AIM Password Decryptor to recover the password saved by all versions of AIM (including latest version v7.5).
 
Related Tools: MessengerPasswordDecryptor
 
 
 
  Beyluxe Messenger
Beyluxe Messenger stores main account password at following registry location
HKEY_CURRENT_USER\Software\Beyluxe Messenger\<nick_name>
Password for each user is encrypted and stored in the registry value 'password' under this key. For more technical details how Beyluxe encrypts the password and how you can decrypt it manually, refer to the following research article, "Exposing the Password Secrets of Beyluxe Messenger"

You can recover all such stored account passwords by Beyluxe Messenger using MessengerPasswordDecryptor
 
Related Tools:  MessengerPasswordDecryptor
 
 
 
  BigAnt Messenger
BigAnt Messenger (version 2.82) stores the login name and password at following registry location,
HKEY_CURRENT_USER\Software\BigAntSoft\BigAntMessenger\Setting
Login name is stored in the registry value "LoginName" and encrypted password is stored in the registry value 'Password' under this key. We will update more details about its encryption method once we crack it down.
 
Related Tools:  MessengerPasswordDecryptor
 
 
 
  Camfrog Video Messenger
Camfrog Video Messenger (version 6.2) stores the login password at following registry location,
HKEY_CURRENT_USER\Software\Camfrog\Client\<user_name>\ProfileInfo
Here <user_name> refers to nick name or login name of the user. Hashed password is stored in registry value "Hash1" under this key.
 
Related Tools:  MessengerPasswordDecryptor
 
 
 
  Digsby
Newer versions of Digsby (Build 83 - r27225 as of this writing) stores main account password in the 'logininfo.yaml' file at following location,
[Windows XP]
C:\Documents and Settings\<user_name>\Local Settings\Application Data\Digsby

[Windows Vista/Windows 7/Windows 8]
C:\Users\<user_name>\AppData\Local\Digsby
Digsby stores only main account password locally and all other IM account passwords (such as Yahoo, Gmail, AIM) are stored in the servers. Main Digsby password is encrypted using special algorithm with username, windows product id, install date as key and resulting password is then encoded with BASE64 before storing into the above password file.

Earlier versions of Digsby used to save the password in the 'Digsby.dat' file at following location,
[Windows XP]
C:\Documents and Settings\<user_name>\Application Data\Digsby

[Windows Vista & Windows 7]
C:\Users\<user_name>\AppData\Roaming\Digsby
Earlier Digsby versions used hardcoded string 'foo' as key without BASE64 encoding.

For more information how Digsby encrypts the password, how it is stored in its secret file and how one can decrypt it manually, refer to our research article 'Exposing the Password Secrets of Digsby'

You can use DigsbyPasswordDecryptor to instantly recover Digsby password for all versions.
 
Related Tools: DigsbyPasswordDecryptor, MessengerPasswordDecryptor
 
 
 
  Google Talk (GTalk)
Google Talk (GTalk) stores all remembered gmail account information at following registry location.
HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts
 For each Google account separate registry key is created with the account email id as name under this key. Account password is encrypted and stored in the registry string value named 'pw' within this account registry key.

For more information on what mechanism GTalk uses to encrypt the password and how to decrypt it refer to following research article, 'Exposing Google Password Secrets'

You can use GooglePasswordDecryptor to instantly recover all stored Google account passwords by Gtalk.
 
Related Tools: GooglePasswordDecryptor, MessengerPasswordDecryptor
 
 
 
  IMVU Messenger
IMVU Messenger (version 450.2) stores the login account information at following registry location,
HKEY_CURRENT_USER\Software\IMVU\username
HKEY_CURRENT_USER\Software\IMVU\password
Username is stored in clear text and password is stored in hex format as a default registry value.

You can use MessengerPasswordDecryptor ttool to automatically & quickly recover the login account password stored by IMVU messenger.
 
Related Tools:  MessengerPasswordDecryptor
 
 
 
  Meebo Notifier
Meebo Notifier (beta version) stores the login messenger account passwords in the 'MeeboAccounts.txt' file at below mentioned location depending on your platform.
[Windows XP]
C:\Documents and Settings\Application Data\Meebo\MeeboAccounts.txt

[Windows Vista/Windows 7/Windows 8]
C:\Users\AppData\Roaming\Meebo\MeeboAccounts.txt
This "MeeboAccounts.txt" file contains username in clear text and login password encoded with magic bytes. To see these real magic bytes along with sample decoding program read our research article - Exposing the Password Secrets of Meebo

You can use our MeeboPasswordDecryptor or Online Meebo Password Decoder to automatically and instantly recover all the messenger passwords stored by Meebo Notifier.
 
Related Tools:  MeeboPasswordDecryptor, MessengerPasswordDecryptor
 
 
 
  Miranda IM
Miranda is open source based popular messenger of recent times. Like most instant messengers, Miranda also stores the all user account information including passwords in the profile location. This is to prevent the user from entering the passwords each time.

Latest version of Miranda (v0.9.10) stores the user account & password in the profile file at following location
[Windows XP]
C:\Documents and Settings\<user_name>\Application Data\Miranda\%profile_name%\%profile_name%.dat

[Windows Vista & Windows 7]
C:\Users\<username>\AppData\Roaming\Miranda\%profile_name%\%profile_name%.dat
User can have multiple profiles specific to office or home environment and corresponding account information is stored in the respective profile file.

Initial versions of Miranda stored all account information in .dat file directly within the base location as shown below,
[Windows XP]
C:\Documents and Settings\<user_name>\Application Data\Miranda\<profile_name>.dat

[Windows Vista/Windows 7/Windows 8]
C:\Users\<user_name>\AppData\Roaming\Miranda\<profile_name>.dat
Miranda uses its own proprietary mechanism to encrypt the password before storing into the profile file. 

For more details on how Miranda encrypts the password for different protocols and how to decode those secrets refer to following research article,  "Exposing the Password Secrets of Miranda"

You can use MirandaPasswordDecryptor to instantly recover all stored account passwords by Miranda.
 
Related Tools: MirandaPasswordDecryptor, MessengerPasswordDecryptor
 
 
 
  MSN Messneger
MSN Messenger also uses 'Credential Store' to securely store the remembered passwords. These passwords are stored as type 'Domain Visible Network' aka '.Net Passport' using the target name as '.Net passport' within the 'Credential Store'.

For more details on how MSN Messengers stores the passwords and how to decrypt such passwords using the code example, read on to following research article 'Exposing the Password Secrets of MSN/Windows Live Messenger'

You can recover all MSN messenger stored passwords using MSNLivePasswordDecryptor.
 
Related Tools: MSNLivePasswordDecryptor, MessengerPasswordDecryptor , NetworkPasswordDecryptor
 
 
 
  MySpace IM
MySpaceIM is one of the upcoming instant messenger which stores the user account & password details at following location.
[Windows XP]
C:\Documents and Settings\<user_name>\Application Data\MySpace\IM\users.txt

[Windows Vista/Windows 7/Windows 8]
C:\Users\<user_name>\AppData\Roaming\MySpace\IM\users.txt
The user login email id is stored in clear text where as the password is in encrypted format. The password is encrypted using 'Windows Crypto API' functions and then encoded using BASE64 algorithm beforing storing into this file. So in order to decrypt it successfully one has to decode the password using BASE64 and then decrypt it using CryptUnprotectData function.
You can use IMPasswordDecryptor to instantly recover stored account passwords by MySpaceIM.
 
Related Tools: MessengerPasswordDecryptor
 
 
 
  Nimbuzz Messenger
Nimbuzz Messenger (version 1.6) stores the login account information at following registry location,
HKEY_CURRENT_USER\Software\Nimbuzz\PCClient\Application
It stores all the account details including login username & password (stored in hex format) in registry values "username" & "password" respectively.

You can use MessengerPasswordDecryptor to automatically & quickly recover the login account password stored by Nimbuzz.
 
Related Tools:  MessengerPasswordDecryptor
 
 
 
  PaltalkScene
PaltalkScene stores main account password at following registry location
HKEY_CURRENT_USER\Software\Paltalk\<nick_name>
Password is encrypted and stored in the registry value 'pwd' under this key. All other IM passwords such as Gmail, Yahoo, AIM etc are saved under separate sub keys under this registry key. For example Gmail accounts are stored under following registry key,
HKEY_CURRENT_USER\Software\Paltalk\<nick_name>\GGL\<gmail_address>
All these IM passwords are encoded with BASE64 and stored in 'pwd' registry value. For more technical details on how Paltalk encrypts the password and how can one decrypt this password, refer to our research article, Exposing the Password Secrets of PaltalkScene

You can recover main password as well as all the IM passwords stored by Paltalk using PaltalkPasswordDecryptor.
 
Related Tools:  PaltalkPasswordDecryptor, MessengerPasswordDecryptor
 
 
 
  Pidgin (Formerly Gaim)
Pidgin stores all configured account passwords in the "Accounts.xml" file located at following directory
[Windows XP]
C:\Documents and Settings\<user_name>\Application Data\.purple

[Windows Vista & Windows 7]
C:\Users\<username>\AppData\Roaming\.purple
Older versions (Gaim) used .gaim folder instead of .purple to store the account details. For each stored account, 'Accounts.xml' file contains the <account> tag, which has sub tags <name> & <password> containing the account email address and password in plain text respectively.

You can recover Pidgin passwords using MessengerPasswordDecryptor .
 
Related Tools: MessengerPasswordDecryptor
 
 
 
  Skype
Skype does not store password directly. Instead it stores the encrypted hash of the password in the 'config.xml' located in Skype's user profile directory. Typical user profile directory for Skype will be as follows,
[Windows XP]
C:\Documents and Settings\<user_name>\Application Data\Skype\<account_name>

[Windows Vista/Windows 7/Windows 8]
C:\Users\<username>\AppData\Roaming\Skype\<account_name>
This config.xml contains <Credentials2> tag which contains encrypted hash of the password. As per the research paper 'Vanilla Skype' written by Fabrice Desclaux and Kostya Kortchinsky, Skype uses the MD5 hash of string "username\nskyper\npassword" for authentication. If user has set the 'Remember password' option then this MD5 hash is encrypted using AES-256 & SHA-1 algorithms and finally saved into the 'Config.xml' file.

Since the HASH of the password is saved, it is not possible to directly get the password. Instead one has to use dictionary or brute force approach to find out the right password from the hash. This approach may take days or months together based on the length & complexity of the password.

You can use 'SkypePassword' from Lastbit to recover stored Skype password.
 
Related Tools: SkypePassword by Lastbit
 
 
 
  Tencent QQ
Tencent QQ is one of the popular instant messenger which stores the user's login information in the file "Registry.db" at following location
C:\Users\<user_name>\Documents\Tencent Files\<qq_login_id\QQ
This "Registry.db" file is in the OLE storage format which can be viewed using DocFile Viewer. However internal login information is encrypted using Blowfish algorithm.
 
Related Tools: MessengerPasswordDecryptor
 
 
 
  Trillian
[Version 4.21 build 24] - [Version 5.0.0.26]
Trillian Astra stores only main account passwords (called as Identity or Astra password) in the 'accounts.ini' file at below mentioned location. But all other IM account passwords (such as Yahoo, Gtalk, AIM, MSN etc) are stored on the servers.
[Windows XP]
C:\Documents and Settings\<user_name>\Application Data\Trillian\users\global\

[Windows Vista/Windows 7/Windows 8]
C:\Users\<username>\AppData\Roaming\Trillian\users\global\
For each account it contains section named '[Account<number>]" under which all information for that account is stored. Username is stored in the field named 'Account=' and password is stored in the field 'Password='. Trillian first performs XOR encoding of the password with standard pattern and then encodes it with BASE64 before storing it.

For more technical details on how different versions of Trillian encrypts the password and how we can manually decrypt it, refer to our following research article
Exposing the Password Secrets of Trillian

You can use TrillianPasswordDecryptor to automatically recover passwords stored by all versions of Trillian.
 
Related Tools: TrillianPasswordDecryptor, MessengerPasswordDecryptor
 
 
 
  Windows Live Messenger
Windows Live Messenger stores the account password at 'Credential Store' which provides different mechanisms such as 'Generic', 'Domain Network', 'Domain Visible Network' etc which applications can use to store and retrieve their private credentials. Each such method requires different technique and privilege level to enumerate and decrypt the passwords.


Windows Live Messenger uses 'Generic Password' mechanism of 'Credential Store' to store the passwords under the target name 'WindowsLive:name=<email_id>'. To know more about how to recover stored passwords by Live Messenger, read on to this research article, 'Exposing the Password Secrets of MSN/Windows Live Messenger'

You can use MSNLivePasswordDecryptor to instantly recover all such passwords stored by Live Messenger.
 
Related Tools: MSNLivePasswordDecryptor, MessengerPasswordDecryptor , NetworkPasswordDecryptor
 
 
 
  Xfire
Xfire is a free tool that automatically keeps track of when and where gamers are playing games online with more than million members. Xfire stores the user settings including login username & password in a file "XfireUser.ini" at following location,
[Windows XP]
C:\Documents and Settings\<user_name>\Application Data\Xfire

[Windows Vista/Windows 7/Windows 8]
C:\Users\<username>\AppData\Roaming\Xfire\
Xfire uses blowfish encryption algorithm for both username & password. Each encrypted Username is stored with the label "EncryptedUser1" and password is stored as "EPW1". However Xfire does not store the original password directly. Instead it generates the SHA1 hash of username+password+"UltimateArena" and then store the encrypted data of this SHA1 hash.
You can use XfirePasswordDecryptor to instantly recover the login passwords from Xfire.
 
Related Tools: XfirePasswordDecryptor , HashKracker
 
 
 
  Yahoo Messenger
Yahoo Messenger prior to version 7 used to store the password in the registry value 'EOptions String' at following registry location,
 HKEY_CURRENT_USER\Software\Yahoo\Pager
This password is encrypted and then encoded using Yahoo64 (similar to Base64) algorithm and stored at above location. The actual algorithm and encoding functionality is present in  ycrwin32.dll (can be found in installed location of Yahoo Messenger).

For version 7 onwards, Yahoo stores the encrypted token derived from username & password in registry value 'ETS' at same registry location. Though you cannot decrypt this token back to the password but you can copy it to another machine and continue to login to Yahoo Messenger.

For more interesting details on this password token & authentication mechanism refer to this research paper.
 
Related Tools: YahooPasswordDecryptor
 
 
 
 
 
Email Client Applications
 
  Foxmail
Foxmail [version 6.5] stores all the configured mail account password information at following location,
 
[Windows - 32 bit]
C:\Program Files\Foxmail\mail\<account_emailaddress>\Account.stg

[Windows - 64 bit]
C:\Program Files (x86)\Foxmail\mail\<account_emailaddress>\Account.stg
 

This "Account.stg" file appears to be in binary format as first 0x800 bytes are filled with some hex data then follows the actual account information including POP3 and SMTP account passwords.POP3 & SMTP account passwords are stored by the name 'POP3Password' & 'ESMTPPassword' respectively. The passwords are stored in hex format and XOR encoded using the magic string "~draGon~".

Foxmail v7.0 or higher uses new magic string "~F@7%m$~" with the same algorithm. It also stores the account passwords using different format at new location

[Windows - 32 bit & 64 bit]
C:\Program Files\Foxmail 7.0\Data\AccCfg\Accounts.tdat
 
You can use FoxmailPasswordDecryptor tool to recover all mail account passwords stored by Foxmail.
 
Related Tools: GooglePasswordDecryptor, MailPasswordDecryptor
 
 
 
  Gmail Notifier
Gmail Notifier uses different mechanism to store the Google account password based on IE versions. For IE version 7 onwards, Gmail Notifier stores the password in the 'Windows Credential Store'. This password can be decrypted using CredEnumerate API function. For complete code sample to enumerate and decrypt Google account password from Credential store, read on to this article, 'Exposing Google Password Secrets'.

You can use GooglePasswordDecryptor or NetworkPasswordDecryptor tool to instantly recover all Google account password stored by Gmail Notifier.
 
Related Tools: GooglePasswordDecryptor, MailPasswordDecryptor
 
 
 
  IncrediMail
IncrediMail stores all the configured mail account password information at following registry location,
 
HKEY_CURRENT_USER\Software\IncrediMail\Identities\{GUID_1}\Accounts\{GUID_2}
 
Main account details such as Email address, POP3 password, SMTP password are stored in registry values 'EmailAddress', 'PopPassword' & 'SmtpPassword' respectively. Passwords are encoded using magic byte pattern "0x89, 0x32, 0xCA, 0x31"

You can use IncrediMailPasswordDecryptor tool to automatically recover all mail account passwords stored by IncrediMail.
 
Related Tools:  IncrediMailPasswordDecryptor, MailPasswordDecryptor
 
 
 
  Microsoft Outlook
Latest version of Microsoft Outlook 2013 (version 15.0) stores the account configuration along with encrypted password at following location
 
HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook
 
Outlook versions starting from 2002 to latest version 2010, store the passwords (other than exchange server) for various email account such as POP3, IMAP, SMTP, HTTP at following registry location.
[Windows NT onwards]
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles

[Prior to Windows NT]
HKEY_CURRENT_USER\Software\Microsoft\Windows Messaging Subsystem\Profiles
Newer versions of Outlook from 2002-2010 stores the Exchange server passwords in 'Credential Store' as it provides better protection over other methods. You can use OutlookPasswordDecryptor or NetworkPasswordDecryptor to recover such passwords.

Older versions of Outlook (Outlook Express, 98, 2000 etc) stores the Email configuration information along with encrypted password at following registry location,
[For Outlook installed in Internet Mail Only Mode Configuration]
HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts

[For Outlook in normal mode]
HKCU\Software\Microsoft\Internet Account Manager\Accounts
For detailed information on how each verion of Outlook stores the passwords for different type of email accounts and how to recover them, read the following research article, 'Exposing the Secret of Decrypting Outlook Passwords'

You can use OutlookPasswordDecryptor to decrypt passwords for all versions of Outlook from 98 to 2013.
 
Related Tools: Outlook Password Decryptor, Mail Password Decryptor, Mail Password Sniffer
 
 
 
  ThunderBird
ThunderBird stores all remembered email settings along with password into the SQLite database file 'signons.sqlite' in its profile location. The default profile location for different platforms is as follows,
[Windows XP]
C:\Documents and Settings\<user_name>\Application Data\Thunderbird\Profiles\<random_name>.default

[Windows Vista & Windows 7]
C:\Users\<user_name>\AppData\Roaming\Thunderbird\Profiles\<random_name>.default
You can use ThunderbirdPassDecryptor to recover all stored mail account passwords by Thunderbird.
 
Related Tools: ThunderbirdPassDecryptor, MailPasswordDecryptor, Mail Password Sniffer
 
 
 
  Windows Live Mail
Windows Live Mail (part of Windows Essentials) stores all the account information including passwords at following location.
[Windows 7/Windows 8]
C:\Users\<user_name>\AppData\Local\Microsoft\Windows Live Mail\

Each account is stored in a .oeaccount file in separate folder within the above profile location. The file is stored in XML format and passwords are found within the tags such as HTTPMail_Password2, POP3_Password2, IMAP_Password2, SMTP_Password2 etc.

Password is encrypted with a salt using Windows Cryptography functions.

You can use Live Mail Password Decryptor to recover all stored mail account passwords by Thunderbird.

 
Related Tools: Live Mail Password Decryptor, Mail Password Decryptor, Mail Password Sniffer
 
 
 
 
 
 
FTP Client Applications
 
  Dreamweaver
Dreamweaver - popular web site editing software - stores FTP & WebDav login & password information in the registry at following location.
HKEY_CURRENT_USER\Software\Adobe\Common\10\Sites\-SiteX\Keychain
For Dreamweaver CS5 edition, replace 10 with 11 in above location. Each FTP site entry is stored in separate key "-SiteX" (as shown above) where X starts with 1 and incremented for every new FTP site. Each such Keychain entry contains user and encrypted password stored within the registry values named "User" & "User PW" respectively.

Dreamweaver uses the standard Windows Cryptography Functions (CryptProtectData) to encrypt the password before saving it to registry.

You can use DreamweaverPasswordDecryptor to recover all the FTP passwords stored by Dreamweaver.
 
Related Tools: FTPPasswordDecryptor,   FTPPasswordSniffer
 
 
 
  FileZilla
FileZilla stores all account information along with username & password in the "recentservers.xml" file at following location,
[Windows XP]
C:\Documents and Settings\<user_name>\Application Data\FileZilla

[Windows Vista & Windows 7]
C:\Users\<username>\AppData\Roaming\FileZilla
This xml file contains entry for each ftp server account with tag <server>. For each server entry, there is <user> & <pass> tags which contains user name & password in plain text for corresponding FTP server.

You can use FilezillaPasswordDecryptor tool to recover all  FTP server passwords stored by FileZilla.
 
Related Tools: FTPPasswordDecryptor,   FTPPasswordSniffer
 
 
 
  FlashFXP
FlashFXP - one of the emerging FTP clients - stores FTP login & password information in 'Sites.dat' file at below location,
[Windows XP]
C:\Documents and Settings\All Users\Application Data\FlashFXP\4\Sites.dat

[Windows Vista/Windows 7/Windows 8]
C:\ProgramData\FlashFXP\4\Sites.dat
The above location applies to FlashFXP v4 or higher. For version 3 replace 4 with 3 in the above location. FlashFXP uses simple encoding algorithm with magic string as "yA36zA48dEhfrvghGRg57h5UlDv3" to encrypt the password.

You can use FlashfxpPasswordDecryptor to recover all the FTP passwords stored by FlashFXP.
 
Related Tools: FTPPasswordDecryptor,   FTPPasswordSniffer
 
 
 
  FTPCommander
FTPCommander one of the popular FTP clients which comes in FREE, Pro & Deluxe editions.

FTPCommander FREE edition stores the FTP site information in a file "Ftplist.txt" at its installed location
[Windows - 32 bit]
C:\Program Files\FTP Commander

[Windows - 64 bit]
C:\Program Files (x86)\FTP Commander
FTPCommander PRO edition stores the FTP site information in a file "Ftplist.txt" at following location
 
[Windows - all platforms]
C:\CFtp\
 
FTPCommander Deluxe edition stores the FTP site information in a file "Ftplist.txt" at its installed location
 
[Windows - 32 bit]
C:\Program Files\FTP Commander Deluxe

[Windows - 64 bit]
C:\Program Files (x86)\FTP Commander Deluxe
 
All editions for FTPCommander (as of latest version v9.2) stores the password along with server & username after performing XOR encoding of the password with magic number 0x19 (25).

You can use FTPCommanderPasswordDecryptor to recover FTP passwords stored by all editions of FTPCommander.
 
Related Tools: FTPPasswordDecryptor,   FTPPasswordSniffer
 
 
 
  SmartFTP
SmartFTP - one of the popular commercial FTP client - stores all the configured FTP account & password information at following location
[Windows XP]
C:\Documents and Settings\<user_name>\Application Data\SmartFTP\Client 2.0\Favorites\Quick Connect

[Windows Vista/Windows 7/Windows 8]
C:\Users\<username>\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect
SmartFTP (as of latest version v4.0) stores each FTP site information (host, username & password) in separate XML file in the above location. Password is encrypted using the 'Windows Cryptography Functions' (CryptEncrypt). It uses the RC4 encryption algorithm with the key derived from MD5 hash of magic string "SmartFTP".

You can use SmartFtpPasswordDecryptor to recover all the FTP passwords stored by SmartFTP.
 
Related Tools: FTPPasswordDecryptor,   FTPPasswordSniffer
 
 
 
  WS_FTP
WS_FTP - one of the popular FTP client - stores all the configured FTP account & password information in the file "ws_ftp.ini" at following location
[Windows XP]
C:\Documents and Settings\<user_name>\Application Data\Ipswitch\WS_FTP\Sites\

[Windows Vista/Windows 7/Windows 8]
C:\Users\<username>\AppData\Roaming\Ipswitch\WS_FTP\Sites\
Username and password for each of the stored FTP site is present after fields "uid=" and "pwd=" respectively. Password is encrypted using Triple DES algorithm with magic key and then stored in the Base64 format.

For more interesting details read our research article - Exposing the Password Secrets of WS_FTP.

You can use our WS_FTPPasswordDecryptor to recover all the FTP passwords stored by WS_FTP.
 
Related Tools: FTPPasswordDecryptor,   FTPPasswordSniffer
 
 
 
 
 
 
Miscellaneous Applications
 
  Google Desktop Search
'Google Desktop Search' stores the Google account information in the registry when it is configured to search your Gmail account. Here is the registry location,
 HKEY_CURRENT_USER\Software\Google\Google Desktop\Mailboxes\Gmail
The above registry key contains the 2 main registry values, 'POP3_name' & 'POP3_credentials' holding the Google account name & encrypted password respectively. For more details on how to decrypt this password, read on to following research article, 'Exposing Google Password Secrets'.

You can use GooglePasswordDecryptor tool to instantly recover any such password stored by Google Desktop Search.
 
Related Tools: GooglePasswordDecryptor
 
 
 
  Heroes of Newerth
Heroes of Newerth (HoN) is popular game based on Warcraft III DoTA. It stored the user's login information in the file "login.cfg" at below location based on platform,
[Windows]
C:\Users\User\Documents\Heroes of Newerth\game\

[Linux]
/home/user/.Heroes of Newerth/game/

[Mac]
/Users/User/Library/Application Support/Heroes of Newerth/game/
This "login.cfg" file contains the username and password after the fields 'login_name' & 'login_password' respectively. Password field is nothing but md5 hash of the original password, which can be cracked using online MD5 hash crackers or offline tools.
 
 
 
  Internet Download Manager (IDM)
IDM stores all the premium account passwords for download sites at following registry location,
HKEY_CURRENT_USER\Software\DownloadManager\Passwords
There is registry key representing each download site below this location. Each such entry has 2 registry values "User" & "EncPassword". User name is the hex representation of ascii character, however password is XOR encoded with 0xf.

You can use our IDMPasswordDecryptor to automatically recover all stored passwords by IDM.
 
Related Tools: IDMPasswordDecryptor
 
 
 
  JDownloader
JDownloader [less than version 2.0] stores all the premium account passwords in the HSQL database file at following location,
[32 bit - x86 System]
C:\Program Files\JDownloader\Config

[64 bit - x64 System]
C:\Program Files (x86)\JDownloader\Config

HSQLDB stores the database contents in terms of plain SQL statements. You can find all JDownloader configuration along with premium passwords in "database.script" file. There is no encryption as such but data itself is stored in serialized object format.

For version 2 beta onwards, JDownloader stores the account passwords at new location.

[Windows XP]
C:\Documents and Settings\Local Settings\Application Data\JDownloader 2.0\Cfg

[Windows Vista/Windows 7/Windows 8]
C:\Users\AppData\Local\JDownloader 2.0\Cfg
Note that install location also has been changed to %appdata% from %program files% as in previous versions. New version v2.0 Beta stores the accounts details in JSON format and then encrypts the contents before storing it into file 'org.jdownloader.settings.AccountSettings.accounts.ejs'

You can use our JDownloaderPasswordDecryptor tool to instantly recover passwords from all versions of JDownloader.

 
Related Tools: JDownloaderPasswordDecryptor
 
 
 
  Orbit Downloader
'Orbit Downloader' stores all the premium account passwords for download sites at following file,
[Windows XP]
C:\Documents and Settings\<user_name>\Application Data\Orbit\sitelogin.dat

[Windows Vista/Windows 7/Windows 8]
C:\Users\<user_name>\AppData\Roaming\Orbit\sitelogin.dat
The "sitelogin.dat" file contains website, username & password information for each of the premium download site. Passwords are encrypted using IDEA algorithm.

You can use our OrbitPasswordDecryptor to automatically recover all stored passwords by Orbit Downloader.
 
Related Tools: OrbitPasswordDecryptor
 
 
 
  Picasa
Picasa stores Google account password information at one of the following registry location.
HKEY_CURRENT_USER\Software\Google\Picasa\Picasa2\Preferences
HKEY_CURRENT_USER\Software\Google\Picasa\Picasa3\Preferences
Some of the early releases of Picasa 3 version used second location, but later switched back to previous location itself. The registry value 'gaiaEmail' contains the Google account id and 'gaiaPass' contains the encrypted password. Picasa versions 2 and 3 uses different encryption mechanisms to store the password. For complete information on how to decrypt stored passwords by different versions of Picasa, read on to article 'Exposing Google Password Secrets'.

GooglePasswordDecryptor can automatically recover the password for different versions of Picasa.
 
Related Tools: GooglePasswordDecryptor
 
 
 
  Remote Desktop
Remote Desktop stores the saved credentials at 'Credential Store' using the target name as 'LegacyGeneric:target=TERMSRV/<Host_IP_address>'. As many applications use 'Credential Store' to save their passwords, this target name can be used to uniquely identify 'Remote Desktop' stored passwords.

For more information on how 'Credential Store' works and how to recover the password, read on to this research article 'Exposing the Secret of Decrypting Network Passwords'

You can use 'NetworkPasswordDecryptor' to recover the passwords stored by Remote Desktop.
 
Related Tools: NetworkPasswordDecryptor
 
 
 
  Seesmic
Seesmic is a popular desktop client for Twitter. It stores account settings in the file named 'data.db' at following location
C:\Users\\Documents\Seesmic\Seesmic Desktop 2\Data\
This file 'data.db is in SQLite database format. It has many tables, out of which 'Accounts & 'Settings' tables are interesting ones.

'Settings' table contains following important keys 'SeesmicUsername' & 'SeesmicEmail' which refers to login id for Seesmic itself.

'Accounts' table contains all the Twitter accounts configured by the user. Each account is identified with unique id and 'AccountData' field contains complete account details in the XML format. Below is the sample
 
<?xml version="1.0" encoding="utf-16"?>
<TwitterAccount xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
<Id>e44943f8-f5a2-4025-92b6-1cc3d9d344a3</Id>
<Username>SecurityXploded</Username>
<UserId>1234567890</UserId>
<Token>1234567890-abcDEG9P6huGMxgNCBPTFkmF7DhEBAv4vFCSlvAb</Token>
<TokenSecret>ABuCDIEmsUoFFGUCj6MmmACXey0UWcDXKZwaZYhXZc</TokenSecret>
<DirectsLimit>30</DirectsLimit>
<FriendsLimit>30</FriendsLimit>
<RepliesLimit>30</RepliesLimit>
<TweetlistsLimit>10</TweetlistsLimit>
<APIusageLimit>80</APIusageLimit>
<ExcludeFromTimelines>false</ExcludeFromTimelines>
<IsAuthenticated>true</IsAuthenticated>
<AggregateAccountUpdates>true</AggregateAccountUpdates>
<ServerAccountId>46e9fb7f-1234-411f-1234-9f35885997d4</ServerAccountId>
<UsesSeesmicConsumerKey>true</UsesSeesmicConsumerKey>
<TimelineCacheLimit>200</TimelineCacheLimit>
<FriendsCacheLimit>200</FriendsCacheLimit>
<SearchCacheLimit>200</SearchCacheLimit>
</TwitterAccount>
 

Note that when you add Twitter account to Seesmic, you are required to login to Twitter and grant permission to Seesmic. Whenever you do this, Twitter generates various authentication ids such as consumerKey, consumerSecret, oAuthToken & oAuthSecret. Seesmic can then use OAuth Mechanism with these secret ids to access your Twitter Account.


Seesmic stores these Secret ids along with other details for each account in the above XML file. Here <Token> field refers to "oAuthToken" and <TokenSecret> refers to "oAuthSecret". It appears that consumerKey, consumerSecret may have been stored on the server which is refered by field <ServerAccountId>.

 
Related Tools: Twitter Password Decryptor
 
 
 
  SuperPutty
SuperPutty is a Windows GUI Application that allows PuTTY SSH Client to be opened in Tabs. It stores the session login password details in the file named 'sessions.xml' at following location
[Windows XP]
C:\Documents and Settings\[user name]\My Documents\SuperPuTTY\

[Windows Vista/Windows 7/Windows 8]
C:\Users\[user_name]\Documents\SuperPuTTY\
Each stored session starts with a tag <SessionData and contains information about Host, Port, Username, Password. Password is usually stored in Extra arguments after -pw option.

You can use our SuperPutty Password Decryptor to automatically recover all the stored session passwords.
 
Related Tools: SuperPutty Password Decryptor
 
 
 
  TweetDeck
TweetDeck is the one of the popular Twitter client which also support other social networking sites such as Facebook, LinkedIn, MySpace, Buzz etc. It is developed using Adobe Air framework and hence it uses 'Encrypted Local Storage' (ELS) mechanism provided by Adobe Air to store all the account credentials. The encrypted password files are stored at following location based on the platform,
[Windows XP]
C:\Documents and Settings\<user_name>\Application Data\Adobe\AIR\ELS\TweetDeckFast.FFF259DC0CE2657847BBB4AFF0E62062EFC56543.1

[Windows Vista/Windows 7/Windows 8]
C:\Users\<user_name>\AppData\Roaming\Adobe\AIR\ELS\TweetDeckFast.FFF259DC0CE2657847BBB4AFF0E62062EFC56543.1
On Windows, Adobe AIR uses DPAPI functions to encrypt the credentials using the 128 bit AES-CBC algorithm. Here is the typical sequence which is generally used to store the secret data.
 
var strToEncrypt:String = "passw0rd";

var myByteArray:ByteArray = new ByteArray();

myByteArray.writeUTFBytes(strToEncrypt);

EncryptedLocalStore.setItem("securityxploded", myByteArray);
 
Latest version (checked with v2.1) of TweetDeck no longer uses Adobe AIR. It stores account settings in the file named 'qrc__0.localstorage' at following location
[Windows XP]
C:\Documents and Settings\<user_name>\Local Settings\Application Data\twitter\TweetDeck\localStorage\

[Windows Vista & higher]
C:\Users\<user_name>\Appdata\Local\twitter\TweetDeck\localStorage\
This file is in SQLite database format. It has one table 'itemTable' containing key & value fields which stores various user settings. Login email is stored in key value 'tweetdeck_account' and encrypted password is stored under the key value 'hoard'. This field contains login email id and base64 encoded text of actual encrypted password.
 
More reversing is required to further analyze the encrypted password. If you find any interesting details, do share.
 
Related Tools: Twitter Password Decryptor
 
 
 
 
 
 
 
See Also