Summary: There are tools to recover most of your 'remembered' password. You can use them if you forgot your 'remembered' password, and so can anyone with access to your machine.
I've forgotten my password [to a web site, mail account, instant messaging tool, etc.]. However, I can log in because I have 'remember my password' configured, so the computer just logs me in automatically since it saved password. Is there a way I can see what that password is?
Yes.
And that should scare you, because it's an important lesson about just how dangerous it is to use 'remember me'.
Why? Because if you can recover it, then anyone who has access to the machine can probably recover it.
'Remember my password' doesn't seem like such a good idea anymore, now does it?
•
When you choose 'Remember my password', or any equivalent, the software does exactly that - it saves a copy of your password somewhere on the computer. Sometimes it's stored in plain text - available to anyone if they know where to look, sometimes it's encrypted or obfuscated in some way. Regardless, it has to be quick and easy for the program to fetch the remembered password and decrypt it, if needed, each time you login or do whatever it is that requires that password.
And that applies to almost all common applications that save passwords, including nearly all instant messaging programs, nearly all email programs, and nearly all websites that require some kind of account name and password to login.
So it stands to reason that there would be utility programs that also can retrieve those very same account names and passwords.
Let's start with one that you might not even realize.
Firefox
If you use Firefox as your web browser, do this:
-
Click on the Tools menu
-
Click on the Options menu item
-
Click on the Passwords tab
-
Click on the View Saved Passwords button
-
In the resulting dialog, click on the Show Passwords button
If you're like me, you'll be fairly shocked the first time you do this. Yes, you can set a 'master password' to protect your passwords, but the default is not to have one.
And anyone who walks by your computer while you're logged in can do this.
For other programs, you need to download a few simple utilities. Specifically, NirSoft has available several Password Recovery Tools. Included are tools that will display the saved passwords for a host of different programs and situations.
For example, here's a screen shot resulting from running the 'MessenPass' utility on my machine:
You can see that it lists, for each IM program I run, the service, the account name and the password. While I've obfuscated them here in this example for my protection, the account names and passwords are displayed in clear text.
I'm not guaranteeing it, of course, since there could be many other things at play, but if you've lost a password, and you have 'Remember' turned on, there's a very high likelihood that you can grab one of the utilities from NirSoft, and recover it. It's certainly one of the first things I would try.
Yet Another Word About Security
I encourage you to download those tools and play with them on your own machine. Using them, you'll see how trivially easy it is to recover many passwords that are merely hidden by the 'remember' function of so some applications.
Now remember: anyone can use them.
If you leave your machine logged in, anyone who can walk up to it can insert a CD or floppy with these tools, and get your saved passwords just as trivially.
And while logging out or using a password protected screen saver puts up a barrier, even that barrier, while significant, is not impenetrable.
I want to make sure you remember two important things:
1) 'Remember my password' is a convenience, and a security risk. Use it with caution.
2) If your machine is not physically secure it is not secure. If someone can walk up to it, insert a disk and reboot it, they can take total control. And that includes recovering your passwords with tools as we've seen here.
And remember also, that while you've just read this article and learned how to recover your remembered password ... your 'friends' and perhaps those who are not your friends have also read this and learned how to steal your remembered password.
Related:
-
Ask Leo! - Would you please recover my password? My account has been hacked or I've forgotten it.
-
Ask Leo! - Is it really that easy to get someone's password?
Article C2733 - July 25, 2006
hey nice website
Posted by: Antonio at August 27, 2007 12:07 AMIt showed my password but it still wont let me logg in.
Posted by: bRIT at October 4, 2007 6:39 PMis there a way to view ALL of your passwords used on a single account over time? because i lost my myspace password and tried several others off the top of my memory while i still had the save password button clicked is there a way to view ALL entered passwords?
Posted by: rythrgefw at December 30, 2007 8:12 PM-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
No, not that I'm aware of.
Leo
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)
iD8DBQFHfoN7CMEe9B/8oqERAmaFAJ0Qz/XqIf8Ek2+SnpXhKgezkCZ74ACfZh1B
Posted by: Leo A. Notenboom at January 4, 2008 11:05 AMIciNWyKHt1VcRLoPYE1yNcs=
=AOXr
-----END PGP SIGNATURE-----
i forgot my password and i really need help
Posted by: taquita at January 18, 2008 1:32 PMvery good and useful
Posted by: veerareddy at June 17, 2008 7:22 PMi have yahoo messenger 9.0 and this software toold doesn't show ne password for that , though i have clicked on on auto login
Posted by: poppy at April 25, 2009 5:58 AMi need for got my pass word
Posted by: kenlor chevelon at May 10, 2009 10:22 AMSystem rescue CD can help with windoz passwords... get it here
Posted by: Hugh at July 28, 2009 8:58 AMhttp://distrowatch.com/table.php?distribution=systemrescue
I use Firefox with a master password, but Opera is my favourite browser (except when it doesn't display certain web sites as the designers intended). I prefer the way Opera handles passwords, except that I've found no way to retrieve a site password when, for example, a web site doesn't display and I want to switch to Firefox.
Posted by: James at August 11, 2009 8:45 AMOpera's good with cookies, by the way, in that I can delete them all on exit, except for a few sites that I've made exceptions.