2

I'm working as a developer in a shared office space, and today when I came to work, my PC no longer booted into windows, only UEFI with error -> couldn't find the primary SSD. I opened up the case on the side, and I saw that my SSD has been removed.

It's the main SSD where I had the Windows 10 installed, all programs, as well as dropbox, documents, and pretty much all important files.

Though everything has been backed up to dropbox, and I am using LastPass chrome extension to save my passwords, I do know that Chrome still has saved several passwords directly, from before I started using LastPass.

Obviously I've already changed all passwords on all my websites, but I am still curious. If someone has full access to my physical SSD now, how hard is it for them to get access to all the saved passwords in Chrome?

Kevin M
  • 133
  • 5
  • 2
    Possible duplicate of [Is saving passwords in Chrome as safe as using LastPass if you leave it signed in?](https://security.stackexchange.com/questions/40884/is-saving-passwords-in-chrome-as-safe-as-using-lastpass-if-you-leave-it-signed-i) – John Deters Dec 21 '18 at 06:03
  • By changing your google account password, the access to the saved passwords and every password related to your google account will be gone. But still lots of things to do with that SSD is possible. – Posse Dec 21 '18 at 06:48
  • Once he resets your admin account password, he can change password of local user account and then Google Chrome saved passwords will be compromised. – defalt Dec 21 '18 at 14:46

3 Answers3

3

Change all passwords now

Most online password stores are all pretty secure at protecting the data over the wire and while it is sitting in the server center ... but if it is sitting in your browser on your physical device it is mediocre at best and terrible at worst.

If chrome starts up with out prompting for your password ... you're toast! They have them all in plain text. If chrome requires a login, I believe the passwords are still encrypted and stored on the local computer ... which means they can decrypt them (different than cracking a hash).

Either way, your best bet is to change all your passwords RIGHT NOW. I would start with the high value ones like Email, Bank, Stocks, and then work towards things that have access to your payment creds like online stores, and then social media which might seem like the most important but is less likely to crush you long term.

forest
  • 64,616
  • 20
  • 206
  • 257
CaffeineAddiction
  • 7,517
  • 2
  • 20
  • 40
3

Chrome on Windows stores both passwords and cookies using Windows' DPAPI, a developer-friendly cryptosystem that uses an encryption key protected by your Windows password. Without the DPAPI key (directly, or indirectly by just logging into the account), an attacker cannot extract any secrets from Chrome. With that said, don't forget that stolen cookies are also a threat, unless you signed out of all your accounts before leaving.

The security of DPAPI is primarily dependent on the security of your Windows password. If the password is very good - too long / random to be brute-forced even considering Windows' low-quality password hashing code - then you're probably fine against that particular attack. If the password is amenable to brute force then an attacker can either just log into your Windows account or extract your DPAPI key and DPAPI-protected data and, with some effort, extract your secrets that way.

Depending on the state you left your computer in before the disk was stolen and the security settings in the OS, there may be sensitive data in the pagefile and/or hiberfile. This could include any data that a program (such as Chrome or Windows itself) had in memory, including passwords, cookies, encryption keys, and potentially even things like your LastPass password vault. Extracting that data is beyond a typical thief - it's not structured for easy retrieval, and may well be fragmentary - but software exists or could be written to do it. A typical thief is also unlikely to break into an office and steal only a hard disk; at a minimum I would expect they're going to be looking for something like financial data, source code or other trade secrets, and credentials or session tokens.

This all assumes you weren't using encrypted drives. A stolen disk/SSD encrypted with BitLocker or VeraCrypt or similar has no value to an attacker beyond whatever they can get for fencing the hardware. If you were using full-volume encryption, changing your passwords was probably a good idea anyhow but the risk was minimal if your encryption was configured reasonably well (not simply limited to a brute-force-susceptible password, for example).

I certainly hope your current disk is encrypted. BitLocker has been available in Windows since Vista, and with Win10 Pro (or Enterprise) it is very easy to use if your PC has a TPM (hardware security chip) and entirely possible even without one (change a setting to not require the TPM, and set up a system volume passphrase and/or require a key that's stored on a flashdrive you only insert when booting up). Full-volume encryption such as BitLocker is a much more comprehensive protection against the theft of data (at rest, such as on a stolen disk) than any per-application or per-file security.

CBHacking
  • 40,303
  • 3
  • 74
  • 98
  • 3
    "I don't know for sure how Chrome stores passwords, but I would be shocked if it was any less secure than this" It really doesn't matter how secure Chromes *stores* the passwords. As soon as they are automatically filled into any form, the attacker can use the browser's web developer tools to read them from the html, or just intercept the requests. – Martin Fürholz Dec 21 '18 at 13:57
  • 1
    @MartinFürholz You're assuming that the attacker can get Chrome to run within the user's account. That assumes that the attacker has access to the user's Windows account credentials. Without them, Chrome can't decrypt any of its stored secrets - because the encryption key for them is itself encrypted with a key derived from the user's Windows password - and therefore it won't be autofilling anything. – CBHacking Dec 22 '18 at 05:55
  • just as you are assuming that it's not possible to get into his Windows user account when the attacker possesses the actual drive. Which I clearly doubt. – Martin Fürholz Dec 22 '18 at 14:37
  • 1
    With all due respect, did you read what I wrote at all? I make no such assumption and explicitly point out that the attacker's ability to steal Chrome's saved secrets will depend on the quality of the Windows account's password. This is true whether the attacker boots the system and logs in or uses an offline attack against the disk's file system. What part of my answer or comments made it sound like I was making such a foolish assumption? – CBHacking Dec 22 '18 at 16:05
  • "explicitly point out that the attacker's ability to steal Chrome's saved secrets will depend on the quality of the Windows account's password" where? And yes I read your posting. Why are you fighting here? – Martin Fürholz Dec 22 '18 at 17:29
  • Paragraph 2: "The security of DPAPI is **primarily dependent on the security of your Windows password**. If the password is very good - too long / random to be brute-forced even considering Windows' low-quality password hashing code - then you're probably fine against that particular attack. **If the password is amenable to brute force then an attacker can either just log into your Windows account** or extract your DPAPI key and DPAPI-protected data and, with some effort, extract your secrets that way." I'm "fighting" because you are making a grossly incorrect assumption. Why are *you*? – CBHacking Dec 24 '18 at 06:14
  • That paragraph is not about "an ability to steal Chrome's passwords", it's about how Chrome stores cookies. Period. As you also stated that you don't know how Chrome stores passwords. Actually it does this locally in an sqlite database and encrypts it with CryptProtectData. I don't make assumptions, I am correcting you. – Martin Fürholz Dec 24 '18 at 11:33
  • Which can be easily googled within like 10 seconds, dude. – Martin Fürholz Dec 24 '18 at 11:33
  • That paragraph is about how you can't get secrets out of Chrome (or anything else that uses DPAPI) without the Windows password. Also, telling me about `CryptProtectData` as though that's not literally what DPAPI is (which is protected, again, with the **Windows account** password). I'll update to edit in the fact that Chrome stores passwords the same as cookies, though I already mentioned that it probably was the case), if that will satisfy you. – CBHacking Dec 24 '18 at 14:05
1

The Chrome passwords are stored in a local sqlite database "%localappdata%\Google\Chrome\User Data\Default\Login Data".

The passwords are encrypted using CryptProtectData seeded with the Windows user account password.

There exist a lot of decryption tools for this Google Chrome password database out there on the web.

Related discussion on bugs.chromium.org

Martin Fürholz
  • 795
  • 9
  • 21
  • Those decryption tools are useless without the victim's Windows credentials (or the ability to run software in an already-logged-in session of that user), though. – CBHacking Dec 24 '18 at 14:18
  • 1
    @CBHacking already-logged-in session of that user can be achieved by resetting the password of that user. – Ulkoma Dec 24 '18 at 14:23
  • 1
    @Ulkoma Nope, not in any useful way. Ever tried force-setting a user's password (without the old password) via Computer Management? You'll get a warning that *Resetting this password might cause irreversible loss of information for this user account. For security reasons, Windows protects certain information by making it impossible to access if the user's password is reset.* That "certain information" includes the crypto keys for DPAPI (and EFS). Resetting a password via offline editing of the stored hash in the SAM means no warning, but you still lose the keys (and thus the secrets) forever. – CBHacking Dec 25 '18 at 10:47
  • I just tried that and can confirm this. After force-resetting the password with "net user" Chrome's stored passwords are gone for that account. – Martin Fürholz Dec 30 '18 at 15:29