LOCATIONS OF SAVED PASSWORDS

Welcome to (HACKINGbegins - "An approach to introduce people with the truth of HACKING"), Hello friends, Today in this post I'll tell you how can you find your saved passwords stores in windows. In today's Internet driven world, all of us use one or other applications starting from browsers & instant messengers. Most of these applications store the sensitive information such as user name, password in their private location using proprietary methods. This prevents hassle of entering the credentials every time during the authentication.
However it is important to know that this secret information if landed in other person's hands either accidentally  then it can easily put your privacy at risk.


Password Secrets of Windows Applications 

 Here is the list of popular applications falling into various categories such as Internet browsers, Instant Messengers whose password secrets are exposed below.

•  Firefox 

The passwords are stored in one of the following filenames: signons.txt, signons2.txt, and signons3.txt (depends on Firefox version) The passwords stored in this sign-on file are encrypted using 3DES followed by BASE 64 encoding mechanism. Here is the default location of Firefox profile directory,
 
 [Windows XP]
C:\Documents and Settings\<user_name>\Application Data\Mozilla\Firefox\Profiles\<random_name>.default

[Windows Vista & Windows 7]
C:\Users\<user_name>\AppData\Roaming\Mozilla\Firefox\Profiles\<random_name>.default
...........................................................................................................................

• Google Chrome

Google Chrome stores all sign-on passwords in the sqlite database file called 'Web Data' within the profile directory. Here is the default location of Chrome profile directory.

[Windows XP]
C:\Documents and Settings\<user_name>\Local Settings\Application Data\Google\Chrome\User Data\Default

[Windows Vista & Windows 7]
C:\Users\<user_name>\Appdata\Local\Google\Chrome\User Data\Default
...........................................................................................................................

• Internet Explorer

Internet Explorer stores two types of passwords, sign-on and HTTP basic authentication (generally proxy, router configuration) passwords. IE below version 7 stores both sign-on and HTTP basic authentication passwords in the secure location known as 'Protected Storage' in the following registry location,

HKEY_CURRENT_USER\Software\Microsoft\Protected Storage System Provider

With version 7 onwards IE uses the new mechanism to store the sign-on passwords. The encrypted password for each website are stored along with hash of the website URL in the following registry location.

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\IntelliForms\Storage2

Also IE 7 onwards, HTTP basic authentication passwords are stored in the 'Credentials store' at following location based on the operating system.

[Windows XP]
C:\Documents and Settings\[username]\Application Data\Microsoft\Credentials

[Windows Vista and Windows 7]
C:\Users\[username]\AppData\Roaming\Microsoft\Credentials
............................................................................................................................

• Opera 

Opera stores the login passwords in an encrypted format in the 'Magic Wand File' called 'Wand.dat' within its profile directory. This profile path is different for different versions of Opera as shown below.
For Opera Version less than 10

[Windows XP]
C:\Documents and Settings\<username>\Application Data\Opera\Opera\profile\wand.dat

[Windows Vista/Windows 7]
C:\users\<username>\AppData\Roaming\Opera\Opera\profile\wand.dat
...........................................................................................................................

•  Microsoft Outlook

Newer version of Outlook starting from 2002 to latest version 2010, store the passwords (other than exchange server) for various email account such as POP3, IMAP, SMTP, HTTP at following registry location.

[Windows NT onwards]
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles

[Prior to Windows NT]
HKEY_CURRENT_USER\Software\Microsoft\Windows Messaging Subsystem\Profiles

Newer versions of Outlook from 2002-2010 stores the Exchange server passwords in 'Credential Store' as it provides better protection over other methods.

Older versions of Outlook (Outlook Express, 98, 2000 etc) stores the Email configuration information along with encrypted password at following registry location,


[For Outlook installed in Internet Mail Only Mode Configuration]
HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts

[For Outlook in normal mode]
HKCU\Software\Microsoft\Internet Account Manager\Accounts
............................................................................................................................

• Google Talk 

Google Talk (GTalk) stores all remembered gmail account information at following registry location.

HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts

For each Google account separate registry key is created with the account email id as name under this key. Account password is encrypted and stored in the registry string value named 'pw' within this account registry key.
..............................................................................................................................

•   Windows Live Mail

All account settings, including the encrypted passwords, are stored in
[Windows Profile]\Local Settings\Application Data\Microsoft\Windows Live Mail\[Account Name]

The account filename is an xml file with .oeaccount extension.
.............................................................................................................................. 

•  Yahoo Messenger

Yahoo Messenger prior to version 7.5 used to store the password in the registry value 'EOptions String' at following registry location,

 HKEY_CURRENT_USER\Software\Yahoo\Pager

This encrypted password can be decrypted using ycrwin32.dll.
................................................................................................................................ 

•  AIM (AOL Instant Messenger)

AIM version 6 onwards stores the password at the following registry location,  
HKEY_CURRENT_USER\Software\America Online\AIM6\Passwords

AIM PRO version uses the different registry location to store the passwords,

  HKEY_CURRENT_USER\Software\AIM\AIMPRO\<Account_Name>
................................................................................................................................ 

• Pal talk 

PaltalkScene stores main account password at following registry location

 HKEY_CURRENT_USER\Software\Paltalk\<nick_name>

Password is encrypted and stored in the registry value 'pwd' under this key. All other IM passwords such as Gmail, Yahoo, AIM etc are saved under separate sub keys under this registry key.
............................................................................................................................... 

•  Skype

Skype does not store password directly. Instead it stores the encrypted hash of the password in the 'config.xml' located in Skype's user profile directory. Typical user profile directory for Skype will be as follows,  
[Windows XP]
C:\Documents and Settings\<user_name>\Application Data\Skype\<account_name>

[Windows Vista & Windows 7]
C:\Users\<username>\AppData\Roaming\Skype\<account_name>
................................................................................................................................

•  MSN Messenger 

The passwords are stored under
HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL\Creds\[Account Name]
................................................................................................................................

Hope this will be informative for you, kindly post your comments on this article.

Be a real hacker - PROFESSIONAL, and change the trend of HACKING.
Thanks & Regards:

Sahil Mahajan.