0

Say I have a "Login Data" Chrome file that is encrypted with the user's Windows password. Is there a way I can brute-force the file and try to decrypt it using every password possible?

schroeder
  • 123,438
  • 55
  • 284
  • 319
Safwan
  • 3
  • 1
  • 2
  • Relevant: https://security.stackexchange.com/questions/44493/vulnerability-of-chromes-login-data-file-after-being-orphaned-from-the-host-s – schroeder Oct 05 '20 at 08:47
  • What do you mean by *'encrypted with the user's Windows password'*? Chrome does not encrypt passwords with the user's Windows password. – nobody Oct 05 '20 at 09:12
  • @nobody I read that Chrome uses the Data Protection API (DPAPI) and the "Login Data" file can only be decrypted by the same Windows user that encrypted it because it uses the Windows password, correct me if I'm wrong. But is there any way I can decrypt this file? – Safwan Oct 05 '20 at 13:47
  • @Safwan Thanks for the clarification. That information is a bit outdated. See my answer below – nobody Oct 05 '20 at 16:01

1 Answers1

0

Since chrome v80, chrome encrypts cookies and passwords using AES256-GCM with a randomly generated key. The key used for encryption is then encrypted with DPAPI and stored in the 'Local State' file in the user's chrome profile. However, the DPAPI is used in Local_Machine scope which means that any user on the computer where the encryption was done can decrypt the data (i.e. encryption does not rely on user's password at all). I am not sure exactly how the master key for encryption on Local_Machine is derived, but if I remember correctly, it uses environment specific variables.

What this means is that if you only have the "Login Data" file available, you will have to brute-force the 256 bit AES key, which is currently practically impossible. Even if you can get your hands on the user's "Local State" file you will still not be able to decrypt the key unless you can figure out and obtain all the environment specific variables DPAPI relies on. Your best bet would be to gain physical access to the system while any user is logged on and then decrypt the passwords using something like ChromePass

nobody
  • 11,251
  • 1
  • 41
  • 60
  • I don't have physical access to the machine, all I have is the "Login Data" file which is Impossible to crack according to what you've just said. Thanks for your time. – Safwan Oct 05 '20 at 19:04