AutoCompete stored passwords encrypted but with what?

[Gruzin]

I'm researching how Microsoft encrypts the usernames and passwords
stored with AutoComplete. From several posts and newsgroups it's been
pointed out that usernames and passwords reside in the registry here:
HKEY_CURRENT_USER\Software\Microsoft\InternetExplorer\IntelliForms\SPW

However does anyone what kind of encryption (i.e. 3DES, or AES, or ?)
and how it generates the symmetric key (if that is indeed what it's
using)? If the key is dependant on the password of the windows
account, then having a stronger login password MIGHT advertantly
(hopefully) increase the strength of the passwords stored. I've
searched and it doesn't seem to be documented anywhere on TechNET or
MSDN.

 

[Alan]

I'm researching how Microsoft encrypts the usernames and passwords
stored with AutoComplete. From several posts and newsgroups it's been
pointed out that usernames and passwords reside in the registry here:
HKEY_CURRENT_USER\Software\Microsoft\InternetExplorer\IntelliForms\SPW

However does anyone what kind of encryption (i.e. 3DES, or AES, or ?)
and how it generates the symmetric key (if that is indeed what it's
using)? If the key is dependant on the password of the windows
account, then having a stronger login password MIGHT advertantly
(hopefully) increase the strength of the passwords stored. I've
searched and it doesn't seem to be documented anywhere on TechNET or
MSDN.

If you can't find out where they are why would making them any stronger make
them more secure than be helpful? Why would revealing the encryption help
security for those passwords? It seems as if the system works.

 

[Gruzin]

Alan-
You present a valid question. I'm a firm believer there is no
security through obscurity. IE AutoComplete or any system is not
secure just because people are not aware of the mechanism that is used
to hide information. For instance IE could just do something simple
like XOR a static value with passwords all the time, on all browsers
(since the IE code is hidden no ones knows). I highly doubt they
actually do this. However if one day a clever hacker or researcher
found out that static value (all browsers would be vulnerable--a
massive problem). The question comes down to do you trust Microsoft or
would you rather know the algorithm they use and feel confident using
it when saving passwords in IE. In cryptography Kerckoff's law states
that the security of a system should only be dependant on the key, not
the algorithm. Hence I only want to know what they are using to be
assured it's secure, and not just buy MSDN or TechNET words about the
information being encrypted. To answer the first part of the question,
sometimes the system bases cryptographic key on the complexity of the
password--so if you choose a password like "hello", it generates a
weaker symmetric key than if you chose "kR&3`?*)+#".

 

[Gary Smith]

For what it's worth, pspv (http://www.nirsoft.net/utils/pspv.html) decodes
an displays all of the stored passwords, so the encryption obviously isn't
very strong.

 

[Gruzin]

Thanks for your help. From some extra research I have determined
usernames and passwords are encrypted with Triple-DES. Triple-DES is a
strong symmetric key algorithm however to be able to decrypt all you
need is the local logon credentials for initial authentication (if you
log in, you basically are granted access), so basically not very
secure. Essentially anyone who has access and is knowledgeable enough
about the Protected Storage System (PStore) API
[http://msdn.microsoft.com/library/default.asp?url=/library/en-us/devnotes/winprog/pstore.asp]
can write a program to find the passwords (by no means is that
trivial), however through distribution methods an equalizer. There is
code below that I found written in C++ that actually how this is done.
I'm going to end the post here.

http://www.koders.com/cpp/fid00C43B6186F1BADAB0C12ECF1CDD3B3C1371D4D8.aspx