User secrets part 2 – is it safe to store your password in the browser?

Last time we talked about KeePass, User Secrets and Data Protection API. Today is time for part 2 of that tutorial — we’ll drill the browsers!

Is it safe to store your password in the browser? Today we are going to be talking about the situation in where we rely our browser stored passwords on data protection API. So affectedly on your logon password, in short words.

This is the part 2 of the post “User secrets…” The first video about the KeePass you can see here.

Firstly, you should download the ChromePass – it’s one of the tools that you can download from NirSoft.I’ve got Chrome on this particular machine (this is Windows 10). I’m able to display password of the user that is currently logged on.

Is it safe to store your password in the browser

What you can see is very obvious situation: this is me being logged on, that’s why I’m able to see my own password, so it’s absolutely not a big deal, because I have access to that anyway. Regardless of the tools that you are using, if you are able to extract passwords from the certain browsers, also Outlook, etc, then this is very obvious because these are your passwords that you’re able to use anyway.

Does somebody have access to my passwords?

The party starts when you’re wondering who else may have access to those passwords. We’ve been talking about cached logon data and the keys or key that is stored in the Domain Controller’s memory, that it’s capable of decrypting such.

Let’s have a look at how that all situation looks like, what are the scenarios that I that could affect our password security.

When you give your password to somebody…

First of all, if you give away your password or someone manages to crack it as well, then this person will be able to get access to your passwords that you store in the browser.

What would be our scenario? We will, just to clarify the view, reboot this particular machine from the Windows Installation Media. Why? Because that would simplify the whole scenario.

I’m going to overwrite cached logon data that it’s stored in the registry. I got another machine in the back as well. In this particular case, we will find out if the password is changed illegally, is there a way to get access to our credentials and, at the same time, passwords stored in our browser?

We’re going to switch off the network so that we could log on with the cached logon data and that would be the moment where we will have no access to the Domain Controller, so will be only logging on with the data that I will set up in the registry.

After a moment we are rebooting. We will turn on the console in order to be able to have offline access to that particular machine. It’s worth to mention that this can be done also if you are not having an offline access to the machine, but if you are privileged enough to perform these operations online.

We go to advanced options, command prompt, and then we are ready. I’m going to quickly change the font, that would be a little bit better for all of us. I’m going to get into the place where I’ve got the tools, CQTools, and I got here KiwiCQUREEdition, and I got Mimikatz.

>> Download the KiwiCQUREedition<<
Password: CQUREAcademy#123!

Now we need to do: lsadump::cache. Then specify the two registry hives that are impacting how credentials that are cached (or cached logon data, as we should say) is stored. So basically we’re going to do: D Windows, System32, config, system, D Windows, System32, config, security. I have no possibility to use tab here, and the /kiwi to override cached logon data.

I put enter and I’ve got plenty of different accounts that logged on before into this machine, including Freddy Krueger, which we’re going to be using. Now I’m done, I can go continue, and that would be the moment where we’re going to be impacting the security of the passwords stored in the browser. You’ll be able to see if we are, by changing the password, will be capable of getting access to the user’s password.

Now I want to log on with my password that I had before. The password is incorrect. So I’m going to log on with the password that we have generated right now, which is Mimikatz. Remember: it’s not a local account, it’s a domain account, that’s why it’s a little bit better.

By the way, our team did huge research on the Data Protection API

We’re the first team in the world and the last team at the same time, that discovered a couple of interesting things within the data protection API. We have written more about it in here.

Going back to the subject…

Probably you’re interested if we are able to see the password…

It takes a little moment to open things because I’m trying to decrypt master keys within the data protection API so that I’m able to get access to the password but none of those can be decrypted with my current password –  that’s why this password it’s basically empty over here.


So, is it safe to store your password in the browser?

It depends on the implementation of the data protection API within the browser: how the browser leverages it and so on. In most cases, the answer would be: yes because your passwords depend on your logon password.

I wouldn’t write this post if everything was perfect. Is there a way to get access to this password? Yes. If you’ve got a key, that you can extract from the domain controller’s memory, which we call a backup key  (it’s a private key that it’s used for encrypting master keys). Let me show you where to find it.

Extracting backup key

I go to % appdata%, it’s in the Microsoft, Protect and in the user’s SID. We’re having BK-CQURE and BK-CQURE – it is the public key of the domain that encrypts master keys within the master key containers.

Is it safe to store your password in the browser

So, whoever has access to the private key, that corresponds with this public key, this person is also able to decrypt this data.

Storing passwords in the browser is safe, but…

We’ve got the possibilities to store the passwords in the browser. Is it safe? Well, it depends on:

  • How things were implemented in particular browser
  • If we’re relying on a data protection API
  • The fact that these passwords rely on the password for Windows logon
  • If your machine is a member of a domain – then whoever possesses a private key
  • Corresponding to the public key that decrypts master keys, will always have access to your secrets that have been protected by using data protection API


Use the password manager

Storing passwords in some of the browsers could resolve in them being revealed by the person who is in a possession of the private key of the domain. If you’re wondering what is the best approach over here, I would say that the best would be to use the password manager to which you only have to remember one password. You don’t have to use passwords within the browsers being stored over there when you’re moving in between websites that require it because that kind of software always provides you the possibility to auto-complete the password if there’s a need for that.

Want to discover more? Take CyberBytes training with Paula J: User & System Secrets: Cybersecurity Data Extraction.

User and System Secrets