Hidden files regarding passwords for Web applications

[sweetsun1970]

Hey all,

I have run many virus scans and searched typical file extensions for
SpyWare, and there is not a hardware keylogger on my computer; however,
my boyfriend has accessed my web-based email accounts. The passwords
are impossible to crack - trust me. Are there hidden files in Windows
which act like a keylogger? I never click remember passwords, and I
don't have any of the autocomplete features turned on. It's like he
has been able to access a file that Word would use to remember what has
been entered so you can press undo.

Surely, if you can have Windows remember your password, there must be a
file that writes to the password remember file. So, where is this
file, and does it remember keystrokes (even asterisks) after shutdown?

Please help!!

 

[Woody]

Have a look: http://www.nirsoft.net/utils/pspv.html

There are many password retrieval utilities out there.

Woody

 

[DL]

Do you have the IE autocomplete, as appossed to web site 'remember' turned
on?

 

[sweetsun1970]

That NirSoft stuff only retrieves passwords to PC applications not web
stuff like Hotmail, Yahoo. And, I NO autocomplete features turned on.
Truly, it's like he decoded the cookie, but cookies are temporary. So
how did this happen?

 

[Woody]

Did you look at the link?

http://www.nirsoft.net/utils/pspv.html

quote

"This utility can show 4 types of passwords:

1.. Outlook passwords: When you create a mail account in Outlook Express
or a POP3 account in Microsoft Outlook, and you choose the "Remember
password" option in the account properties, the password is saved in the
Protected Storage, and this utility can instantly reveal it.
Be aware that if delete an existing Outlook Express account, the password
won't be removed from the Protected Storage. In such a case, the utility
won't be able to obtain the user-name of the deleted account, and only the
password will be shown.
Starting from version 1.50, the passwords of Outlook Express identities
are also displayed.
2.. AutoComplete passwords in Internet Explorer: Many Web sites provides
you a logon screen with user-name and password fields. When you log into the
Web site, Internet Explorer may ask you if you want to remember the password
for the next time that you log into this Web site. If choose to remember the
password, the user-name and the password are saved in the Protected Storage,
and thus they can be revealed by Protected Storage PassView.
In some circumstances, multiple pairs of user-name and passwords are
stored for the same logon window. In such case, the additional passwords
will be displayed as sub-items of the first user-password pair. In
sub-items, the resource name is displayed as 3 dots ('...')
3.. Password-protected sites in Internet Explorer: Some Web sites allows
you to log on by using "basic authentication" or "challenge/response"
authentication. When you enter the Web site, Internet Explorer displays a
special logon dialog-box and asks you to enter your user-name and password.
Internet Explorer also gives you the option to save the user-name/password
pair for the next time you log-on. If you choose to save the logon data, the
user-name and the password are saved in the Protected Storage, and thus they
can be revealed by Protected Storage PassView.
In this category, you can also find the passwords of FTP servers.
4.. MSN Explorer Passwords:
The MSN Explorer browser stores 2 types of passwords in the Protected
Storage:
a.. Sign-up passwords
b.. AutoComplete passwords "

 

[sweetsun1970]

Yes, I looked at the link and ran the utility - only showed POP3 and
some document passwords. I DO NOT have any autocomplete features
turned on so, nor do I use the "remember me" on this computer check
boxes on web logins, so these passwords are not stored in the Protected
Storage.

 

[paulmd]

Yes, I looked at the link and ran the utility - only showed POP3 and
some document passwords. I DO NOT have any autocomplete features
turned on so, nor do I use the "remember me" on this computer check
boxes on web logins, so these passwords are not stored in the Protected
Storage.

There are other methods he could be using. They require physical access
to computer/network. Or at least the room.

Hidden camera over keyboard/watching you type password. Keylogger
INSIDE keyboard. Packet sniffer (records network traffic). Physical
examination of free space on hard disk.

Need new passwords, probably need new boyfriend......

 

[sweetsun1970]

Physical examination of free space on hard disk?????

Please explain.

 

[paulmd]

Physical examination of free space on hard disk?????

Please explain.

The Pagefile/Swapfile, and the hiberfile. Your computer uses your hard
disk as extra RAM. Unlike RAM, however, it stays put until being
overwritten. your hard disk can be opened and searched with a program
called a hex editor.

The hiberfile in XP allows the computer to resume from exactly where it
was, even though the power is shut off. It contains the entire contents
of the RAM, less what is stored in the page file.

But because these files can grow and shrink, there is no guarentee that
the rest of your hard disk is clear.

There is another class of tempory files, called temporary internet
files, that store where you have been online. This makes frequently
vistied pages load faster because they do not need to be re-downloaded.
***He need not have access to your password to know what is in your
emails***. Bar none, this would be the most effective method to spy.

Deleting these files is helpful, but not particularly secure. As they
are not actually overwritten, but merely marked as available free
space. Encrypting the tempory internet file directory, and all files in
it, is more helpful, but is still vunerable because the plaintext would
still be in RAM, and may be in the pagefile, hiberfile, or elsewhere
on the hard disk bitbucket.

Using the built in, command line tool called cipher, to wipe free space
on your hard disk will help. But it is an imperfect tool. It will not
touch the pagefile or hiberfile. Hibernation can be disabled. But the
pagefile cannot be.

 

[sweetsun1970]

So a "hex editor" can be used to inspect the harddrive and decipher a
password that was used to access a web-based account?

He has not only read the emails but has accessed the account. I
planted a fake email from work which he read and asked about. I do not
have the password written down, it is NOT something you can guess, and
he doesn't have a lot of time alone on our computer that we share at
home. No cameras or other crap either. I've tried using several
utilities from the web, and none of the them reveal Yahoo or Gmail
passwords and I don't use online chats. So what gives? Please help.

 

[paulmd]

So a "hex editor" can be used to inspect the harddrive and decipher a
password that was used to access a web-based account?

Read it, yes. Deciphering it is a different matter.

He has not only read the emails but has accessed the account. I
planted a fake email from work which he read and asked about. I do not
have the password written down, it is NOT something you can guess, and
he doesn't have a lot of time alone on our computer that we share at
home. No cameras or other crap either. I've tried using several
utilities from the web, and none of the them reveal Yahoo or Gmail
passwords and I don't use online chats. So what gives? Please help.

Change the password. Again. Change the password on your machine, too.
Give him his own account. Encrypt your stuff. Wipe all free space. Find
out whether your WORK machine is compromised, and if he has some kind
of deal going on with anyone in IT and/or your boss. Corporations often
spy on their employees. This is potentially *very* bad.