SecurityXploded.com
Password Secrets of Popular Windows Applications
 
Password Secrets of Popular Windows Applications
 
 
See Also
 
 
Contents
 
Introduction

In today's Internet driven world, all of us use one or other applications starting from browsers, mail clients to instant messengers. Most of these applications store the sensitive information such as user name, password in their private location using proprietary methods. This prevents hassle of entering the credentials every time during the authentication.

Password Secrets

Some applications take utmost care to secure your login passwords but most apps use simple methods or rather obscure methods to store the passwords which can easily expose your secrets to spyware running in the background or anyone who has access to your system.

In this context, this article is going to expose the secret password storage location and encryption mechanism by most of the popular applications. It is also going to present the pointers on how one can uncover such passwords using the free password tools developed by us.

 
Password Secrets of Windows Applications
Here is the list of popular applications falling into various categories such as Internet browsers, Email clients, Instant Messengers etc whose password secrets are exposed below.
 
Internet Browsers
 
  Avant

Avant Browser is an emerging ultra-fast web browser bringing new level of clarity and efficiency to your browsing experience.

It stores all the web login passwords in the file named 'forms.dat' at below location

[Windows XP]
C:\Documents and Settings\<user_name>\Application Data\Avant Profiles\.default\formdata

[Windows Vista/Windows 7/Windows 8]
C:\Users\<user_name>\Appdata\Roaming\Avant Profiles\.default\formdata

Web login urls and passwords are stored in an encrypted format protected by 32 byte key stored in a file 'forms.dat.vdt'. Key is encrypted using unknown algorithm and stored in BASE64 format.

Related Tools: Browser Password Decryptor
 
 
  Comodo Dragon

Comodo Dragon is a fast and versatile Internet Browser based on Chromium, with greater level of security & privacy.

It stores all the web login passwords in the sqlite database file called 'Login Data' at below location

[Windows XP]
C:\Documents and Settings\<user_name>\Local Settings\Application Data\Comodo\Dragon\User Data\Default

[Windows Vista/Windows 7/Windows 8]
C:\Users\<user_name>\Appdata\Local\Comodo\Dragon\User Data\Default

It uses same storage format and encryption mechanism as Google Chrome browser.

You can use Comodo Password Decryptor to automatically recover all the stored login passwords by Comodo Dragon browser.

Related Tools: Comodo Password Decryptor, Browser Password Decryptor
 
 
  CoolNovo (formerly ChromePlus)

CoolNovo (formerly Chrome Plus) is an emerging Chromium based web browser.

It stores all the web login passwords in the sqlite database file called 'Login Data' at below location

[Windows XP]
C:\Documents and Settings\<user_name>\Local Settings\Application Data\MapleStudio\ChromePlus\User Data\Default

[Windows Vista/Windows 7/Windows 8]
C:\Users\<user_name>\Appdata\Local\MapleStudio\ChromePlus\User Data\Default

It uses same storage format and encryption mechanism as Google chrome.

You can use CoolNovo Password Decryptor to automatically recover all the stored login passwords by CoolNovo browser.

Related Tools: CoolNovo Password Decryptor,Browser Password Decryptor
 
 
  Firefox
Firefox with version 3.5 and earlier stores the sign-on passwords in the 'signons.txt' file located in its profile directory. With version 3.5 onwards Firefox started storing the sign-on passwords in Sqlite database file named 'signons.sqlite'. The passwords stored in this sign-on file are encrypted using Triple-DES followed by BASE64 encoding mechanism.

Here is the default location of Firefox profile directory,

[Windows XP]
C:\Documents and Settings\<user_name>\Application Data\Mozilla\Firefox\Profiles\<random_name>.default

[Windows Vista/Windows 7/Windows 8]
C:\Users\<user_name>\AppData\Roaming\Mozilla\Firefox\Profiles\<random_name>.default
To know how and what information is stored in this encrypted sign-on file, refer to this article page. You can instantly recover all these sign-on passwords using tools such as FirePassword (command line) or FirePasswordViewer (GUI).

Firefox provides additional protection option called 'master password' to prevent malicious users from discovering these sign-on passwords. Master password as such is not stored any where directly but it's one way hash and other relevant information is stored in the key3.db file within the profile directory.
To know Firefox master password secrets and to recover the master password check our tool,
FireMaster
Related Tools: FirePassword, FirePasswordViewer, FireMaster, Browser Password Decryptor
 
 
  Flock
Flock browser uses similar storage format & encryption mechanism as Google Chrome.

It stores website login passwords in the sqlite database file called 'Login Data' at following profile location.

[Windows XP]
C:\Documents and Settings\<user_name>\Local Settings\Application Data\Flock\User Data\Default

[Windows Vista/Windows 7/Windows 8]
C:\Users\<user_name>\Appdata\Local\Flock\User Data\Default
Each stored sign-on entry mainly contains website URL, username field id, username, password field id and encrypted password.
To know interesting details on how these passwords are encrypted and how to decrypt it check out,
'Exposing the Password Secrets of Google Chrome'

You can use Chrome Password Decryptor to recover the stored website login passwords by Flock. By default it sets the profile path of Chrome but you can change it to above profile location of Flock and recover all the stored passwords.

Related Tools: Chrome Password Decryptor
 
 
  Google Chrome
Google Chrome stores all sign-on passwords in the sqlite database file called 'Web Data' within the profile directory. Newer version uses 'Login Data' file for storing login passwords. Here is the default location of Chrome profile directory.
[Windows XP]
C:\Documents and Settings\<user_name>\Local Settings\Application Data\Google\Chrome\User Data\Default

[Windows Vista/Windows 7/Windows 8]
C:\Users\<user_name>\Appdata\Local\Google\Chrome\User Data\Default
Each stored sign-on entry mainly contains website URL, username field id, username, password field id and encrypted password.
To know interesting details on how these passwords are encrypted and how to decrypt it check out,
'Exposing the Password Secrets of Google Chrome'

You can use Chrome Password Decryptor to automatically recover all the stored sign-on passwords by Chrome.

Related Tools: Chrome Password Decryptor, Google Password Decryptor, Browser Password Decryptor
 
 
  Google Chrome Canary or SXS
Google Chrome Canary or SXS is the parallel test version of Chrome which user can download and test, there by helping Google to release stable version of Chrome.

Like Chrome, it also stores all sign-on passwords in the sqlite database file called 'Web Data' within the profile directory. Newer version uses 'Login Data' file for storing login passwords. However profile location of Chrome Canary build is slightly different, here it is
[Windows XP]
C:\Documents and Settings\<user_name>\Local Settings\Application Data\Google\Chrome SXS\User Data\Default

[Windows Vista/Windows 7/Windows 8]
C:\Users\<user_name>\Appdata\Local\Google\Chrome SXS\User Data\Default
Also it uses same storage and encryption mechanism as Chrome. Each stored sign-on entry mainly contains website URL, username field id, username, password field id and encrypted password.
To know interesting details on how these passwords are encrypted and how to decrypt it check out,
'Exposing the Password Secrets of Google Chrome'

You can use Chrome Password Decryptor to automatically recover all the stored sign-on passwords by Chrome. By default it sets the profile path of Chrome, here you need to change it to Chrome Canary location as mentioned above.

Related Tools: Chrome Password Decryptor, Google Password Decryptor, Browser Password Decryptor
 
 
  Internet Explorer
Internet Explorer stores two types of passwords, sign-on and HTTP basic authentication (generally proxy, router configuration) passwords. IE below version 7 stores both sign-on and HTTP basic authentication passwords in the secure location known as 'Protected Storage' in the following registry location,
HKEY_CURRENT_USER\Software\Microsoft\Protected Storage System Provider
With version 7 onwards IE uses the new mechanism to store the sign-on passwords. The encrypted password for each website are stored along with hash of the website URL in the following registry location.
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\IntelliForms\Storage2
Also IE 7 onwards, HTTP basic authentication passwords are stored in the 'Credentials store' at following location based on the operating system.
[Windows XP]
C:\Documents and Settings\[username]\Application Data\Microsoft\Credentials

[Windows Vista/Windows 7/Windows 8]
C:\Users\[username]\AppData\Roaming\Microsoft\Credentials
To know interesting details on how IE stores these passwords and how to recover it check out,
'Exposing Password Secrets of Internet Explorer'

You can instantly recover stored passwords for all versions of IE using the tool, IE Password Decryptor.

Related Tools: IE Password Decryptor, Network Password Decryptor, Browser Password Decryptor
 
 
  Maxthon
Maxthon (version 3.1.7.1000] stores all the web login user accounts including passwords in the file "MagicFill2.dat" at below mentioned location
[Windows XP]
C:\Documents and Settings\<user_name>\Application Data\Maxthon3\Users\<user_name>\MagicFill

[Windows Vista/Windows 7/Windows 8]
C:\Users\Administrator\AppData\Roaming\Maxthon3\Users\<user_name>\MagicFill
This magic file is fully encrypted with unknown algorithm. We will update here as we decipher more information.
Related Tools: Browser Password Decryptor
 
 
  Opera
Opera stores the login passwords in an encrypted format in the 'Magic Wand File' called 'Wand.dat' within its profile directory. This profile path is different for different versions of Opera as shown below.
For Opera Version 10 and above
[Windows NT/2K/2k3/XP]
C:\Documents and Settings\<username>\Application Data\Opera\Opera\wand.dat

[Windows Vista/Windows 7/Windows 8]
C:\users\<username>\AppData\Roaming\Opera\Opera\wand.dat

For Opera Version less than 10
[Windows NT/2K/2k3/XP]
C:\Documents and Settings\<username>\Application Data\Opera\Opera\profile\wand.dat

[Windows Vista/Windows 7/Windows 8]
C:\users\<username>\AppData\Roaming\Opera\Opera\profile\wand.dat
Wand file mainly contains website URL, username and password information which are encrypted using Triple-DES algorithm.
To know how Opera passwords are encrypted and how to decrypt them check out,
'Exposing the Secret of Decrypting Opera's Magic Wand'

You can use Opera Password Decryptor to instantly recover stored passwords from Opera's magic Wand file.

Related Tools: Opera Password Decryptor, Browser Password Decryptor
 
 
  Safari
Safari uses strong storage format and encryption mechanism for securely storing website login passwords. Login passwords along with other information are stored in 'keychain.plist' file at following central location.
[Windows XP]
C:\Documents and Settings\<user_name>\Application Data\Apple Computer\Preferences

[Windows Vista/Windows 7/Windows 8]
C:\Users\<user_name>\Appdata\AppData\Roaming\Apple Computer\Preferences
The Keychain file uses binary Property List format (typically found in MAC) which contains information such as website server name, user login & encrypted password. Password is encrypted using the Cryptography functions with the salt value to keep it stronger.
For more technical details on encryption and decryption of Safari Passwords check out,
'Exposing the Password Secrets of Apple Safari'

You can use Safari Password Decryptor to automatically recover all the website login passwords stored by Safari.

Related Tools: Safari Password Decryptor
 
 
  SeaMonkey

SeaMonkey is an emerging mozilla based internet web browser. It uses same password storage format and encryption mechanism as Firefox browser.

SeaMonkey stores user details including saved web login passwords in file called 'signons.sqlite' at following location,

[Windows XP]
C:\Documents and Settings\<user_name>\Application Data\Mozilla\SeaMonkey\Profiles\<random_name>.default

[Windows Vista/Windows 7/Windows 8]
C:\Users\<user_name>\AppData\Roaming\Mozilla\SeaMonkey\Profiles\<random_name>.default

It uses same storage format and encryption mechanism as Firefox.

You can use our tool 'SeaMonkey Password Decryptor' to instantly recover all the web login passwords from SeaMonkey database.

Related Tools: SeaMonkey Password Decryptor, Browser Password Decryptor
 
 
 
Instant Messengers
 
  AIM (AOL Instant Messenger)
AIM version 6.x (till v7.2) onwards stores the password at the following registry location,
 HKEY_CURRENT_USER\Software\America Online\AIM6\Passwords
AIM PRO version uses the different registry location to store the passwords,
 HKEY_CURRENT_USER\Software\AIM\AIMPRO\<Account_Name>

Latest version of AIM (v7.5 since v7.3) stores the encrypted username/password in the file 'aimx.bin' at following location

[Windows XP]
C:\Documents and Settings\<user_name>\Local Settings\Application Data\AIM

[Windows Vista/Windows 7/Windows 8]
C:\Users\<user_name>\AppData\Local\AIM
AIM uses Blowfish encryption algorithm along with Base64 encoding to securely store the login passwords.

You can use our FREE tool, AIM Password Decryptor to recover the password saved by all versions of AIM (including latest version v7.5).

Related Tools: Messenger Password Decryptor
 
 
  Beyluxe Messenger
Beyluxe Messenger stores main account password at following registry location
HKEY_CURRENT_USER\Software\Beyluxe Messenger\<nick_name>
Password for each user is encrypted and stored in the registry value 'password' under this key.
For more technical details on how these passwords are encrypted and decrypted check out,
"Exposing the Password Secrets of Beyluxe Messenger"

You can recover all such stored account passwords by Beyluxe Messenger using Messenger Password Decryptor

Related Tools:  Messenger Password Decryptor
 
 
  BigAnt Messenger
BigAnt Messenger (version 2.82) stores the login name and password at following registry location,
HKEY_CURRENT_USER\Software\BigAntSoft\BigAntMessenger\Setting
Login name is stored in the registry value "LoginName" and encrypted password is stored in the registry value 'Password' under this key. We will update more details about its encryption method once we crack it down.
Related Tools:  Messenger Password Decryptor
 
 
  Camfrog Video Messenger
Camfrog Video Messenger (version 6.2) stores the login password at following registry location,
HKEY_CURRENT_USER\Software\Camfrog\Client\<user_name>\ProfileInfo
Here <user_name> refers to nick name or login name of the user. Hashed password is stored in registry value "Hash1" under this key.
Related Tools:  Messenger Password Decryptor
 
 
  Digsby
Newer versions of Digsby (Build 83 - r27225 as of this writing) stores main account password in the 'logininfo.yaml' file at following location,
[Windows XP]
C:\Documents and Settings\<user_name>\Local Settings\Application Data\Digsby

[Windows Vista/Windows 7/Windows 8]
C:\Users\<user_name>\AppData\Local\Digsby
Digsby stores only main account password locally and all other IM account passwords (such as Yahoo, Gmail, AIM) are stored in the servers. Main Digsby password is encrypted using special algorithm with username, windows product id, install date as key and resulting password is then encoded with BASE64 before storing into the above password file.

Earlier versions of Digsby used to save the password in the 'Digsby.dat' file at following location,
[Windows XP]
C:\Documents and Settings\<user_name>\Application Data\Digsby

[Windows Vista & Windows 7]
C:\Users\<user_name>\AppData\Roaming\Digsby
Earlier Digsby versions used hardcoded string 'foo' as key without BASE64 encoding.
For more interesting details on how Digsby encrypts & decrypts these passwords check out,
'Exposing the Password Secrets of Digsby'

You can use Digsby Password Decryptor to instantly recover Digsby password for all versions.

Related Tools: Digsby Password Decryptor, Messenger Password Decryptor
 
 
  Google Talk (GTalk)
Google Talk (GTalk) stores all remembered gmail account information at following registry location.
HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts
 For each Google account separate registry key is created with the account email id as name under this key. Account password is encrypted and stored in the registry string value named 'pw' within this account registry key.
To know more inside secrets of how GTalk encrypts the passwords and how to decrypt it check out,
'Exposing Google Password Secrets'

You can use Google Password Decryptor to instantly recover all stored Google account passwords by Gtalk.

Related Tools: Google Password Decryptor, Messenger Password Decryptor
 
 
  IMVU Messenger
IMVU Messenger (version 450.2) stores the login account information at following registry location,
HKEY_CURRENT_USER\Software\IMVU\username
HKEY_CURRENT_USER\Software\IMVU\password
Username is stored in clear text and password is stored in hex format as a default registry value.

You can use Messenger Password Decryptor ttool to automatically & quickly recover the login account password stored by IMVU messenger.

Related Tools:  Messenger Password Decryptor
 
 
  Meebo Notifier
Meebo Notifier (beta version) stores the login messenger account passwords in the 'MeeboAccounts.txt' file at below mentioned location depending on your platform.
[Windows XP]
C:\Documents and Settings\Application Data\Meebo\MeeboAccounts.txt

[Windows Vista/Windows 7/Windows 8]
C:\Users\AppData\Roaming\Meebo\MeeboAccounts.txt
This "MeeboAccounts.txt" file contains username in clear text and login password encoded with magic bytes.
To know these real magic bytes along with sample decoding program read our research article
Exposing the Password Secrets of Meebo

You can use our Meebo Password Decryptor or Online Meebo Password Decoder to automatically and instantly recover all the messenger passwords stored by Meebo Notifier.

Related Tools:  Meebo Password Decryptor, Messenger Password Decryptor
 
 
  Miranda IM
Miranda is open source based popular messenger of recent times. Like most instant messengers, Miranda also stores the all user account information including passwords in the profile location. This is to prevent the user from entering the passwords each time.

Latest version of Miranda (v0.9.10) stores the user account & password in the profile file at following location

[Windows XP]
C:\Documents and Settings\<user_name>\Application Data\Miranda\%profile_name%\%profile_name%.dat

[Windows Vista & Windows 7]
C:\Users\<username>\AppData\Roaming\Miranda\%profile_name%\%profile_name%.dat
User can have multiple profiles specific to office or home environment and corresponding account information is stored in the respective profile file.

Initial versions of Miranda stored all account information in .dat file directly within the base location as shown below,
[Windows XP]
C:\Documents and Settings\<user_name>\Application Data\Miranda\<profile_name>.dat

[Windows Vista/Windows 7/Windows 8]
C:\Users\<user_name>\AppData\Roaming\Miranda\<profile_name>.dat
Miranda uses its own proprietary mechanism to encrypt the password before storing into the profile file. 
To know inside secrets on how how Miranda encrypts & decrypts the password check out,
"Exposing the Password Secrets of Miranda"

You can use Miranda Password Decryptor to instantly recover all stored account passwords by Miranda.

Related Tools: Miranda Password Decryptor, Messenger Password Decryptor
 
 
  MSN Messneger
MSN Messenger also uses 'Credential Store' to securely store the remembered passwords. These passwords are stored as type 'Domain Visible Network' aka '.Net Passport' using the target name as '.Net passport' within the 'Credential Store'.
For more details on how MSN Messengers stores the passwords and how to decrypt it check out
'Exposing the Password Secrets of MSN/Windows Live Messenger'

You can recover all MSN messenger stored passwords using MSNLive Password Decryptor.

Related Tools: MSNLive Password Decryptor, Messenger Password Decryptor , Network Password Decryptor
 
 
  MySpace IM
MySpaceIM is one of the upcoming instant messenger which stores the user account & password details at following location.
[Windows XP]
C:\Documents and Settings\<user_name>\Application Data\MySpace\IM\users.txt

[Windows Vista/Windows 7/Windows 8]
C:\Users\<user_name>\AppData\Roaming\MySpace\IM\users.txt
The user login email id is stored in clear text where as the password is in encrypted format. The password is encrypted using 'Windows Crypto API' functions and then encoded using BASE64 algorithm beforing storing into this file. So in order to decrypt it successfully one has to decode the password using BASE64 and then decrypt it using CryptUnprotectData function.

You can use IM Password Decryptor to instantly recover stored account passwords by MySpaceIM.

Related Tools: Messenger Password Decryptor
 
 
  Nimbuzz Messenger
Nimbuzz Messenger (version 1.6) stores the login account information at following registry location,
HKEY_CURRENT_USER\Software\Nimbuzz\PCClient\Application
It stores all the account details including login username & password (stored in hex format) in registry values "username" & "password" respectively.

You can use Messenger Password Decryptor to automatically & quickly recover the login account password stored by Nimbuzz.
Related Tools:  Messenger Password Decryptor
 
 
  PaltalkScene
PaltalkScene stores main account password at following registry location
HKEY_CURRENT_USER\Software\Paltalk\<nick_name>
Password is encrypted and stored in the registry value 'pwd' under this key. All other IM passwords such as Gmail, Yahoo, AIM etc are saved under separate sub keys under this registry key. For example Gmail accounts are stored under following registry key,
HKEY_CURRENT_USER\Software\Paltalk\<nick_name>\GGL\<gmail_address>
All these IM passwords are encoded with BASE64 and stored in 'pwd' registry value.
For more technical details on how Paltalk encrypts the password and how to decrypt it check out,
Exposing the Password Secrets of PaltalkScene

You can recover main password as well as all the IM passwords stored by Paltalk using Paltalk Password Decryptor.

Related Tools:  Paltalk Password Decryptor, Messenger Password Decryptor
 
 
  Pidgin (Formerly Gaim)
Pidgin stores all configured account passwords in the "Accounts.xml" file located at following directory
[Windows XP]
C:\Documents and Settings\<user_name>\Application Data\.purple

[Windows Vista & Windows 7]
C:\Users\<username>\AppData\Roaming\.purple
Older versions (Gaim) used .gaim folder instead of .purple to store the account details. For each stored account, 'Accounts.xml' file contains the <account> tag, which has sub tags <name> & <password> containing the account email address and password in plain text respectively.

You can recover Pidgin passwords using Messenger Password Decryptor

Related Tools: Messenger Password Decryptor
 
 
  Skype
Skype does not store password directly. Instead it stores the encrypted hash of the password in the 'config.xml' located in Skype's user profile directory. Typical user profile directory for Skype will be as follows,
[Windows XP]
C:\Documents and Settings\<user_name>\Application Data\Skype\<account_name>

[Windows Vista/Windows 7/Windows 8]
C:\Users\<username>\AppData\Roaming\Skype\<account_name>
This config.xml contains <Credentials2> tag which contains encrypted hash of the password. As per the research paper 'Vanilla Skype' written by Fabrice Desclaux and Kostya Kortchinsky, Skype uses the MD5 hash of string "username\nskyper\npassword" for authentication. If user has set the 'Remember password' option then this MD5 hash is encrypted using AES-256 & SHA-1 algorithms and finally saved into the 'Config.xml' file.

Since the HASH of the password is saved, it is not possible to directly get the password. Instead one has to use dictionary or brute force approach to find out the right password from the hash. This approach may take days or months together based on the length & complexity of the password.

You can use our 'Skype Password Recovery' to recover your lost or forgotten Skype password.

Related Tools: Skype Password Recovery
 
 
  Tencent QQ
Tencent QQ is one of the popular instant messenger which stores the user's login information in the file "Registry.db" at following location
C:\Users\<user_name>\Documents\Tencent Files\<qq_login_id\QQ
This "Registry.db" file is in the OLE storage format which can be viewed using DocFile Viewer. However internal login information is encrypted using Blowfish algorithm.
Related Tools: Messenger Password Decryptor
 
 
  Trillian
[Version 4.21 build 24] - [Version 5.0.0.26]
Trillian Astra stores only main account passwords (called as Identity or Astra password) in the 'accounts.ini' file at below mentioned location. But all other IM account passwords (such as Yahoo, Gtalk, AIM, MSN etc) are stored on the servers.
[Windows XP]
C:\Documents and Settings\<user_name>\Application Data\Trillian\users\global\

[Windows Vista/Windows 7/Windows 8]
C:\Users\<username>\AppData\Roaming\Trillian\users\global\
For each account it contains section named '[Account<number>]" under which all information for that account is stored. Username is stored in the field named 'Account=' and password is stored in the field 'Password='. Trillian first performs XOR encoding of the password with standard pattern and then encodes it with BASE64 before storing it.
To know more stuff on how Trillian encodes and decodes the password on the fly, check out
Exposing the Password Secrets of Trillian

You can use Trillian Password Decryptor to automatically recover passwords stored by all versions of Trillian.

Related Tools: Trillian Password Decryptor, Messenger Password Decryptor
 
 
  Windows Live Messenger
Windows Live Messenger stores the account password at 'Credential Store' which provides different mechanisms such as 'Generic', 'Domain Network', 'Domain Visible Network' etc which applications can use to store and retrieve their private credentials. Each such method requires different technique and privilege level to enumerate and decrypt the passwords.

Windows Live Messenger uses 'Generic Password'mechanism of 'Credential Store' to store the passwords under the target name 'WindowsLive:name=<email_id>'.

To know more about how to recover stored passwords by Live Messenger, read on,
'Exposing the Password Secrets of MSN/Windows Live Messenger'

You can use MSNLive Password Decryptor to instantly recover all such passwords stored by Live Messenger.

Related Tools: MSNLive Password Decryptor, Messenger Password Decryptor , Network Password Decryptor
 
 
  Xfire
Xfire is a free tool that automatically keeps track of when and where gamers are playing games online with more than million members. Xfire stores the user settings including login username & password in a file "XfireUser.ini" at following location,
[Windows XP]
C:\Documents and Settings\<user_name>\Application Data\Xfire

[Windows Vista/Windows 7/Windows 8]
C:\Users\<username>\AppData\Roaming\Xfire\
Xfire uses blowfish encryption algorithm for both username & password. Each encrypted Username is stored with the label "EncryptedUser1" and password is stored as "EPW1". However Xfire does not store the original password directly. Instead it generates the SHA1 hash of username+password+"UltimateArena" and then store the encrypted data of this SHA1 hash.

You can use Xfire Password Decryptor to instantly recover the login passwords from Xfire.

Related Tools: Xfire Password Decryptor , HashKracker
 
 
  Yahoo Messenger
Yahoo Messenger prior to version 7 used to store the password in the registry value 'EOptions String' at following registry location,
 HKEY_CURRENT_USER\Software\Yahoo\Pager
This password is encrypted and then encoded using Yahoo64 (similar to Base64) algorithm and stored at above location. The actual algorithm and encoding functionality is present in  ycrwin32.dll (can be found in installed location of Yahoo Messenger).

For version 7 onwards, Yahoo stores the encrypted token derived from username & password in registry value 'ETS' at same registry location. Though you cannot decrypt this token back to the password but you can copy it to another machine and continue to login to Yahoo Messenger

For more interesting details on this password token & authentication mechanism refer to
In Depth Analysis of Yahoo Authentication Schemes
Related Tools: Yahoo Password Decryptor
 
 
 
Email Client Applications
 
  Foxmail
Foxmail [version 6.5] stores all the configured mail account password information at following location,
[Windows - 32 bit]
C:\Program Files\Foxmail\mail\<account_emailaddress>\Account.stg

[Windows - 64 bit]
C:\Program Files (x86)\Foxmail\mail\<account_emailaddress>\Account.stg

This "Account.stg" file appears to be in binary format as first 0x800 bytes are filled with some hex data then follows the actual account information including POP3 and SMTP account passwords.POP3 & SMTP account passwords are stored by the name 'POP3Password' & 'ESMTPPassword' respectively. The passwords are stored in hex format and XOR encoded using the magic string "~draGon~".

Foxmail v7.0 or higher uses new magic string "~F@7%m$~" with the same algorithm. It also stores the account passwords using different format at new location

[Windows - 32 bit & 64 bit]
C:\Program Files\Foxmail 7.0\Data\AccCfg\Accounts.tdat
You can use Foxmail Password Decryptor tool to recover all mail account passwords stored by Foxmail.
Related Tools: Google Password Decryptor, Mail Password Decryptor
 
 
  Gmail Notifier
Gmail Notifier uses different mechanism to store the Google account password based on IE versions. For IE version 7 onwards, Gmail Notifier stores the password in the 'Windows Credential Store'. This password can be decrypted using CredEnumerate API function.
For interesting stuff around how to enumerate and decrypt Google account password from Credential store, check out
'Exposing Google Password Secrets'.

You can use Google Password Decryptor or Network Password Decryptor tool to instantly recover all Google account password stored by Gmail Notifier.

Related Tools: Google Password Decryptor, Mail Password Decryptor
 
 
  IncrediMail
IncrediMail stores all the configured mail account password information at following registry location,
HKEY_CURRENT_USER\Software\IncrediMail\Identities\{GUID_1}\Accounts\{GUID_2}
Main account details such as Email address, POP3 password, SMTP password are stored in registry values 'EmailAddress', 'PopPassword' & 'SmtpPassword' respectively. Passwords are encoded using magic byte pattern "0x89, 0x32, 0xCA, 0x31"

You can use IncrediMail Password Decryptor tool to automatically recover all mail account passwords stored by IncrediMail.

Related Tools:  IncrediMail Password Decryptor, Mail Password Decryptor
 
 
  Microsoft Outlook
Latest version of Microsoft Outlook 2013 (version 15.0) stores the account configuration along with encrypted password at following location
HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook
Outlook versions starting from 2002 to latest version 2010, store the passwords (other than exchange server) for various email account such as POP3, IMAP, SMTP, HTTP at following registry location.
[Windows NT onwards]
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles

[Prior to Windows NT]
HKEY_CURRENT_USER\Software\Microsoft\Windows Messaging Subsystem\Profiles
Newer versions of Outlook from 2002-2010 stores the Exchange server passwords in 'Credential Store' as it provides better protection over other methods. You can use Outlook Password Decryptor or Network Password Decryptor to recover such passwords.

Older versions of Outlook (Outlook Express, 98, 2000 etc) stores the Email configuration information along with encrypted password at following registry location,

[For Outlook installed in Internet Mail Only Mode Configuration]
HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts

[For Outlook in normal mode]
HKCU\Software\Microsoft\Internet Account Manager\Accounts
To know more on Outlook stores the emails passwords & way to decrypt them, check out,
'Exposing the Secret of Decrypting Outlook Passwords'

You can use Outlook Password Decryptor to decrypt passwords for all versions of Outlook from 98 to 2013.

Related Tools: Outlook Password Decryptor, Mail Password Decryptor, Mail Password Sniffer
 
 
  ThunderBird
ThunderBird stores all remembered email settings along with password into the SQLite database file 'signons.sqlite' in its profile location. The default profile location for different platforms is as follows,
[Windows XP]
C:\Documents and Settings\<user_name>\Application Data\Thunderbird\Profiles\<random_name>.default

[Windows Vista & Windows 7]
C:\Users\<user_name>\AppData\Roaming\Thunderbird\Profiles\<random_name>.default
You can use ThunderbirdPassDecryptor to recover all stored mail account passwords by Thunderbird.
Related Tools: ThunderbirdPassDecryptor, Mail Password Decryptor, Mail Password Sniffer
 
 
  Windows Live Mail
Windows Live Mail (part of Windows Essentials) stores all the account information including passwords at following location.
[Windows 7/Windows 8]
C:\Users\<user_name>\AppData\Local\Microsoft\Windows Live Mail\

Each account is stored in a .oeaccount file in separate folder within the above profile location. The file is stored in XML format and passwords are found within the tags such as HTTPMail_Password2, POP3_Password2, IMAP_Password2, SMTP_Password2 etc.

Password is encrypted with a salt using Windows Cryptography functions.

You can use Live Mail Password Decryptor to recover all stored mail account passwords by Thunderbird.

Related Tools: Live Mail Password Decryptor, Mail Password Decryptor, Mail Password Sniffer
 
 
 
FTP Client Applications
 
  Dreamweaver
Dreamweaver - popular web site editing software - stores FTP & WebDav login & password information in the registry at following location.
HKEY_CURRENT_USER\Software\Adobe\Common\10\Sites\-SiteX\Keychain
For Dreamweaver CS5 edition, replace 10 with 11 in above location. Each FTP site entry is stored in separate key "-SiteX" (as shown above) where X starts with 1 and incremented for every new FTP site. Each such Keychain entry contains user and encrypted password stored within the registry values named "User" & "User PW" respectively.
Dreamweaver uses the standard Windows Cryptography Functions (CryptProtectData) to encrypt the password before saving it to registry.

You can use Dreamweaver Password Decryptor to recover all the FTP passwords stored by Dreamweaver.

Related Tools: FTP Password Decryptor,   FTP Password Sniffer
 
 
  FileZilla
FileZilla stores all account information along with username & password in the "recentservers.xml" file at following location,
[Windows XP]
C:\Documents and Settings\<user_name>\Application Data\FileZilla

[Windows Vista & Windows 7]
C:\Users\<username>\AppData\Roaming\FileZilla
This xml file contains entry for each ftp server account with tag <server>. For each server entry, there is <user> & <pass> tags which contains user name & password in plain text for corresponding FTP server.

You can use Filezilla Password Decryptor tool to recover all  FTP server passwords stored by FileZilla.

Related Tools: FTP Password Decryptor,   FTP Password Sniffer
 
 
  FlashFXP
FlashFXP - one of the emerging FTP clients - stores FTP login & password information in 'Sites.dat' file at below location,
[Windows XP]
C:\Documents and Settings\All Users\Application Data\FlashFXP\4\Sites.dat

[Windows Vista/Windows 7/Windows 8]
C:\ProgramData\FlashFXP\4\Sites.dat
The above location applies to FlashFXP v4 or higher. For version 3 replace 4 with 3 in the above location. FlashFXP uses simple encoding algorithm with magic string as "yA36zA48dEhfrvghGRg57h5UlDv3" to encrypt the password.

You can use Flashfxp Password Decryptor to recover all the FTP passwords stored by FlashFXP.

Related Tools: FTP Password Decryptor,   FTP Password Sniffer
 
 
  FTPCommander
FTPCommander one of the popular FTP clients which comes in FREE, Pro & Deluxe editions.

FTPCommander FREE edition stores the FTP site information in a file "Ftplist.txt" at its installed location

[Windows - 32 bit]
C:\Program Files\FTP Commander

[Windows - 64 bit]
C:\Program Files (x86)\FTP Commander
FTPCommander PRO edition stores the FTP site information in a file "Ftplist.txt" at following location
[Windows - all platforms]
C:\CFtp\
FTPCommander Deluxe edition stores the FTP site information in a file "Ftplist.txt" at its installed location
[Windows - 32 bit]
C:\Program Files\FTP Commander Deluxe

[Windows - 64 bit]
C:\Program Files (x86)\FTP Commander Deluxe
 
All editions for FTPCommander (as of latest version v9.2) stores the password along with server & username after performing XOR encoding of the password with magic number 0x19 (25).

You can use FTPCommander Password Decryptor to recover FTP passwords stored by all editions of FTPCommander.

Related Tools: FTP Password Decryptor,   FTP Password Sniffer
 
 
  SmartFTP
SmartFTP - one of the popular commercial FTP client - stores all the configured FTP account & password information at following location
[Windows XP]
C:\Documents and Settings\<user_name>\Application Data\SmartFTP\Client 2.0\Favorites\Quick Connect

[Windows Vista/Windows 7/Windows 8]
C:\Users\<username>\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect
SmartFTP (as of latest version v4.0) stores each FTP site information (host, username & password) in separate XML file in the above location.
Password is encrypted using the 'Windows Cryptography Functions' (CryptEncrypt). It uses the RC4 encryption algorithm with the key derived from MD5 hash of magic string "SmartFTP"

You can use SmartFtp Password Decryptor to recover all the FTP passwords stored by SmartFTP.

Related Tools: FTP Password Decryptor,   FTP Password Sniffer
 
 
  WS_FTP
WS_FTP - one of the popular FTP client - stores all the configured FTP account & password information in the file "ws_ftp.ini" at following location
[Windows XP]
C:\Documents and Settings\<user_name>\Application Data\Ipswitch\WS_FTP\Sites\

[Windows Vista/Windows 7/Windows 8]
C:\Users\<username>\AppData\Roaming\Ipswitch\WS_FTP\Sites\
Username and password for each of the stored FTP site is present after fields "uid=" and "pwd=" respectively. Password is encrypted using Triple DES algorithm with magic key and then stored in the Base64 format.
For more interesting details on decoding WS_FTP passwords read our research article
Exposing the Password Secrets of WS_FTP

You can use our WS_FTP Password Decryptor to recover all the FTP passwords stored by WS_FTP.

Related Tools: FTP Password Decryptor,   FTP Password Sniffer
 
 
 
Miscellaneous Applications
 
  Google Desktop Search
'Google Desktop Search' stores the Google account information in the registry when it is configured to search your Gmail account. Here is the registry location,
 HKEY_CURRENT_USER\Software\Google\Google Desktop\Mailboxes\Gmail
The above registry key contains the 2 main registry values, 'POP3_name' & 'POP3_credentials' holding the Google account name & encrypted password respectively.
For more details on how to decrypt this password, read our research article,
'Exposing Google Password Secrets'

You can use Google Password Decryptor tool to instantly recover any such password stored by Google Desktop Search.

Related Tools: Google Password Decryptor
 
 
  Heroes of Newerth
Heroes of Newerth (HoN) is popular game based on Warcraft III DoTA. It stored the user's login information in the file "login.cfg" at below location based on platform,
[Windows]
C:\Users\User\Documents\Heroes of Newerth\game\

[Linux]
/home/user/.Heroes of Newerth/game/

[Mac]
/Users/User/Library/Application Support/Heroes of Newerth/game/
This "login.cfg" file contains the username and password after the fields 'login_name' & 'login_password' respectively. Password field is nothing but md5 hash of the original password, which can be cracked using online MD5 hash crackers or offline tools.
 
 
  Internet Download Manager (IDM)
IDM stores all the premium account passwords for download sites at following registry location,
HKEY_CURRENT_USER\Software\DownloadManager\Passwords
There is registry key representing each download site below this location. Each such entry has 2 registry values "User" & "EncPassword". User name is the hex representation of ascii character, however password is XOR encoded with 0xf.

You can use our IDM Password Decryptor to automatically recover all stored passwords by IDM.

Related Tools: IDM Password Decryptor
 
 
  JDownloader
JDownloader [less than version 2.0] stores all the premium account passwords in the HSQL database file at following location,
[32 bit - x86 System]
C:\Program Files\JDownloader\Config

[64 bit - x64 System]
C:\Program Files (x86)\JDownloader\Config

HSQLDB stores the database contents in terms of plain SQL statements. You can find all JDownloader configuration along with premium passwords in "database.script" file. There is no encryption as such but data itself is stored in serialized object format.

For version 2 beta onwards, JDownloader stores the account passwords at new location.

[Windows XP]
C:\Documents and Settings\Local Settings\Application Data\JDownloader 2.0\Cfg

[Windows Vista/Windows 7/Windows 8]
C:\Users\AppData\Local\JDownloader 2.0\Cfg
Note that install location also has been changed to %appdata% from %program files% as in previous versions. New version v2.0 Beta stores the accounts details in JSON format and then encrypts the contents before storing it into file 'org.jdownloader.settings.AccountSettings.accounts.ejs'

You can use our JDownloader Password Decryptor tool to instantly recover passwords from all versions of JDownloader.

Related Tools: JDownloader Password Decryptor
 
 
  Orbit Downloader
'Orbit Downloader' stores all the premium account passwords for download sites at following file,
[Windows XP]
C:\Documents and Settings\<user_name>\Application Data\Orbit\sitelogin.dat

[Windows Vista/Windows 7/Windows 8]
C:\Users\<user_name>\AppData\Roaming\Orbit\sitelogin.dat
The "sitelogin.dat" file contains website, username & password information for each of the premium download site. Passwords are encrypted using IDEA algorithm.

You can use our Orbit Password Decryptor to automatically recover all stored passwords by Orbit Downloader.

Related Tools: Orbit Password Decryptor
 
 
  Picasa
Picasa stores Google account password information at one of the following registry location.
HKEY_CURRENT_USER\Software\Google\Picasa\Picasa2\Preferences
HKEY_CURRENT_USER\Software\Google\Picasa\Picasa3\Preferences
Some of the early releases of Picasa 3 version used second location, but later switched back to previous location itself. The registry value 'gaiaEmail' contains the Google account id and 'gaiaPass' contains the encrypted password. Picasa versions 2 and 3 uses different encryption mechanisms to store the password.
To know more inside secrets of decrypting stored passwords by Picasa check out,
'Exposing Google Password Secrets'.

Google Password Decryptor can automatically recover the password for different versions of Picasa.

Related Tools: Google Password Decryptor
 
 
  Remote Desktop
Remote Desktop stores the saved credentials at 'Credential Store' using the target name as 'LegacyGeneric:target=TERMSRV/<Host_IP_address>'. As many applications use 'Credential Store' to save their passwords, this target name can be used to uniquely identify 'Remote Desktop' stored passwords.
To know more about how 'Credential Store' works and how to recover the password, check out,
'Exposing the Secret of Decrypting Network Passwords'

You can use 'Network Password Decryptor' to recover the passwords stored by Remote Desktop.

Related Tools: Network Password Decryptor
 
 
  Seesmic
Seesmic is a popular desktop client for Twitter. It stores account settings in the file named 'data.db' at following location
C:\Users\\Documents\Seesmic\Seesmic Desktop 2\Data\
This file 'data.db is in SQLite database format. It has many tables, out of which 'Accounts & 'Settings' tables are interesting ones.

'Settings' table contains following important keys 'SeesmicUsername' & 'SeesmicEmail' which refers to login id for Seesmic itself.

'Accounts' table contains all the Twitter accounts configured by the user. Each account is identified with unique id and 'AccountData' field contains complete account details in the XML format. Below is the sample

<?xml version="1.0" encoding="utf-16"?>
<TwitterAccount xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
<Id>e44943f8-f5a2-4025-92b6-1cc3d9d344a3</Id>
<Username>SecurityXploded</Username>
<UserId>1234567890</UserId>
<Token>1234567890-abcDEG9P6huGMxgNCBPTFkmF7DhEBAv4vFCSlvAb</Token>
<TokenSecret>ABuCDIEmsUoFFGUCj6MmmACXey0UWcDXKZwaZYhXZc</TokenSecret>
<DirectsLimit>30</DirectsLimit>
<FriendsLimit>30</FriendsLimit>
<RepliesLimit>30</RepliesLimit>
<TweetlistsLimit>10</TweetlistsLimit>
<APIusageLimit>80</APIusageLimit>
<ExcludeFromTimelines>false</ExcludeFromTimelines>
<IsAuthenticated>true</IsAuthenticated>
<AggregateAccountUpdates>true</AggregateAccountUpdates>
<ServerAccountId>46e9fb7f-1234-411f-1234-9f35885997d4</ServerAccountId>
<UsesSeesmicConsumerKey>true</UsesSeesmicConsumerKey>
<TimelineCacheLimit>200</TimelineCacheLimit>
<FriendsCacheLimit>200</FriendsCacheLimit>
<SearchCacheLimit>200</SearchCacheLimit>
</TwitterAccount>

Note that when you add Twitter account to Seesmic, you are required to login to Twitter and grant permission to Seesmic. Whenever you do this, Twitter generates various authentication ids such as consumerKey, consumerSecret, oAuthToken & oAuthSecret. Seesmic can then use OAuth Mechanism with these secret ids to access your Twitter Account.

Seesmic stores these Secret ids along with other details for each account in the above XML file. Here <Token> field refers to "oAuthToken" and <TokenSecret> refers to "oAuthSecret". It appears that consumerKey, consumerSecret may have been stored on the server which is refered by field <ServerAccountId>.

Related Tools: Twitter Password Decryptor
 
 
  SuperPutty
SuperPutty is a Windows GUI Application that allows PuTTY SSH Client to be opened in Tabs. It stores the session login password details in the file named 'sessions.xml' at following location
[Windows XP]
C:\Documents and Settings\[user name]\My Documents\SuperPuTTY\

[Windows Vista/Windows 7/Windows 8]
C:\Users\[user_name]\Documents\SuperPuTTY\
Each stored session starts with a tag <SessionData and contains information about Host, Port, Username, Password. Password is usually stored in Extra arguments after -pw option.

You can use our SuperPutty Password Decryptor to automatically recover all the stored session passwords.

Related Tools: SuperPutty Password Decryptor
 
 
  TweetDeck
TweetDeck is the one of the popular Twitter client which also support other social networking sites such as Facebook, LinkedIn, MySpace, Buzz etc. It is developed using Adobe Air framework and hence it uses 'Encrypted Local Storage' (ELS) mechanism provided by Adobe Air to store all the account credentials. The encrypted password files are stored at following location based on the platform,
[Windows XP]
C:\Documents and Settings\<user_name>\Application Data\Adobe\AIR\ELS\TweetDeckFast.FFF259DC0CE2657847BBB4AFF0E62062EFC56543.1

[Windows Vista/Windows 7/Windows 8]
C:\Users\<user_name>\AppData\Roaming\Adobe\AIR\ELS\TweetDeckFast.FFF259DC0CE2657847BBB4AFF0E62062EFC56543.1
On Windows, Adobe AIR uses DPAPI functions to encrypt the credentials using the 128 bit AES-CBC algorithm. Here is the typical sequence which is generally used to store the secret data.
var strToEncrypt:String = "passw0rd";

var myByteArray:ByteArray = new ByteArray();

myByteArray.writeUTFBytes(strToEncrypt);

EncryptedLocalStore.setItem("securityxploded", myByteArray);
Latest version (checked with v2.1) of TweetDeck no longer uses Adobe AIR. It stores account settings in the file named 'qrc__0.localstorage' at following location
[Windows XP]
C:\Documents and Settings\<user_name>\Local Settings\Application Data\twitter\TweetDeck\localStorage\

[Windows Vista & higher]
C:\Users\<user_name>\Appdata\Local\twitter\TweetDeck\localStorage\
This file is in SQLite database format. It has one table 'itemTable' containing key & value fields which stores various user settings. Login email is stored in key value 'tweetdeck_account' and encrypted password is stored under the key value 'hoard'. This field contains login email id and base64 encoded text of actual encrypted password.

More reversing is required to further analyze the encrypted password. If you find any interesting details, do share.

Related Tools: Twitter Password Decryptor
 
 
 
See Also