C:\users\username\AppData\Roaming\Microsoft\credentials @Kyle: While the passwords are hashed and then stored in the directory, the password can often be recovered by using rainbow tables (up to 14 charecters). Even if the file containing the hashes is encrypted, the key used for the encryption must be stored somewhere on the drive and there has to be code refrenceing the location of <b>that</b> key so that the system can find the hash value when the user attempts to log on. – None – 2014-01-30T20:02:52.077

"It's encrypted" is really all that needs to be said for your peace of mind, I should hope :) – Shinrai – 2011-12-13T17:36:12.827

2Encryption isn't hard to break with some reading on the net - I found this out earlier this year at school – cutrightjm – 2011-12-13T17:39:54.180

http://support.microsoft.com/kb/102716 I hate you people for beating me to this answer. Unless I was gunna answer it wrong in which case, thanks :) – OG Chuck Low – 2011-12-13T17:46:41.437

4Neither of these locations relate to where Windows stores user account passwords. – Andrew Lambert – 2011-12-13T17:48:34.890

4@ekaj Depends on the type of encryption, AES 256 like used in kerberos exchanges (windows logins) is VERY difficult if not impossible to break. – Supercereal – 2011-12-13T17:51:36.653

@Kyle: True, it may be difficult, but if someone really needs into something or wants in I'm sure they could use a cloud and use brute force/rainbow tables/ something =p – cutrightjm – 2011-12-13T17:57:26.593

@ekaj Like Kyle said, it depends on the type. Some types (normally ones that are dealing with mass market consumer products like CSS that almost have to have holes in them to work as intended, or some forms that are meant to be encrypted and decrypted by hand like the Caesar Cypher) are relatively easy to break. Modern strong computer encryption like TwoFish is very hard to break. – TimothyAWiseman – 2011-12-13T18:05:02.897

1@ekaj Rainbow tables are fantastic for dealing with short hashes. They do not work well when dealing with much more than that. Brute forcing modern cryptography with a long key is hard. By which I mean be prepared to wait for months or years if you have a spare supercomputer lying around and expect to not see the answer in your lifetime if you don't. – TimothyAWiseman – 2011-12-13T18:08:07.290

I think it was going to take 22 days or so for one computer to crack an 8 digit password using every possible ascii character, I think a cloud could accomplish it – cutrightjm – 2011-12-13T18:18:35.273

you can use Cain's LSA Secrets dumper to get the admin password in cleartext without needing to decrypt anything – Nate Koppenhaver – 2011-12-13T18:21:33.940

2@ekaj define crack? If you mean you want to generate every possible 8 digit password, I suspect you could do it in much less than 22 days on a decent desktop. If you mean actually then try those to see which one decrypts your target file, that depends on how long each attempt takes, and that would take much longer. Also, 8 digits is not considered long for a strong password, and the difficult goes up exponentially with each extra character. – TimothyAWiseman – 2011-12-13T18:42:44.147