Is Internet Explorer 8 password storage encrypted and/or safe?

I use Internet Explorer 8 at work. My system is part of a corporate domain.

I am allowed to use personal email. As much as I don't want to, for convenience, I save my username and password so that I don't have to login every single time.

Please be assured that everything possible in my system is backed up and stored on a server. So whatever form the saved data is in, it is available to IT people.

I don't want them to find out my usernames or passwords.

Where does IE8 store my usernames and passwords and how secure is it from (bad) IT people? Can I safely save them knowing that even if they have copies, the encryption (if any) cannot be cracked in a practical amount of time? I do change my password atleast once a month.

Senthil Kumar

Posted 2010-08-17T07:09:01.317

Reputation:

Answers

The important part is, if your system is in a corporate domain, the IT people, bad or not, already have all access to your data. They could sniff the traffic (it's harder in case of gmail because of SSL, but possible), they can just open radmin/vnc and do anything they wish, etc.

Moreover, encrypting password when everything is backed up is just absolutely useless. If IE can pick the key and decrypt your passwords, anyone who has access to a backup can do that too. (If the 'pick and decrypt' sounds too complicated, I'll be more specific: extract a copy of your profile from backup and copy to %AppData% locally.)

To summarize, while some encryption may look safer, anyone with basic IT skills can circumvent it without any troubles.

whitequark

Posted 2010-08-17T07:09:01.317

Reputation: 14 146

I make sure that anything important I login to uses SSL. But still, given the fact that they can virtually backup anything from my system and due to this 'pick and decrypt' thing, are you saying they can see my usernames and passwords if they want to? – None – 2010-08-17T07:22:47.343

1Of course. Also, you're not really safe with SSL while you're connecting through a corporate gateway: they could redirect Google traffic to some intranet server with a page set up to represent original login dialog, then capture your passwords and redirect back to Google; you wouldn't ever notice anything. It's very unlikely that anyone really would do that: there are much easier ways. – whitequark – 2010-08-17T07:28:32.917

Oh okay. Leaving out SSL, if I use IE8 InPrivate mode and DO NOT save usernames or passwords, can my usernames and passwords be found out? I know this is very tough to answer since neither myself nor you fully know exactly what my IT dept has installed/doing with my system. But a chances/probability type of answer will be enough for me to make decisions. For practical purposes, can IE8 InPrivate + SSL offer decent protection from snooping IT people? – None – 2010-08-17T07:32:24.687

By "practical purposes" I assume that there are no 'hacker' utilites like backdoors/keyloggers/etc installed. In this case, yes, private mode and SSL will make your password safe (username is to the left of "@", isn't it?). You should, through, check for remote desktop software as it is very common in corporate environment (I'm almost sure you have one running), and while it cannot be used to recover your password, a remote user can do everything with your mail while you're not looking at the screen. To circumvent that, close the window while you're dining or such. – whitequark – 2010-08-17T07:51:19.507

Okay. Thanks for the heads up on remote desktop. I'd like to know more about the mechanism by which IE8 stores passwords and generally the things that are possible when the system is part of a domain. If you have any at the moment, it will be great if you can post some links where I can read up about these things. – None – 2010-08-17T08:00:49.713

Here's a small guide: http://www.windowsreference.com/internet-explorer/howto-recover-forgotten-passwords-stored-by-internet-explorer-876/

Particularry: "AutoComplete Passwords: These passwords are saved in the following location in the Registry: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\IntelliForms\Storage2 The passwords are encrypted with the URL of the Web sites that asked for the passwords, and thus they can only be recovered if the URLs are stored in the history file."

– whitequark – 2010-08-17T08:39:54.553

Technically, if they want your data, they can find a way to get it (keyboard sniffer, using a proxy to decode your SSL connections, etc).

Legally, if they do, you can sue them unless you signed something which says that anything stored on your computer belongs to the company (and I think that even in America, judges will consider such a contract too broad).

In Germany, for example, email is pretty much the same as normal snail mail and sniffing email traffic and reading other people's mails is a severe crime. That also means that spam filters are only legal if every affected person signed a document accepting that their mail is filtered by a program.

Aaron Digulla

Posted 2010-08-17T07:09:01.317

Reputation: 6 035

Here in India, the legal system is so bad and slow, I'd be better off hiring some gangstas to bully them into wiping out all the information they have about me :D..so to speak. I don't remember signing anything related to information handling, but I'd better check. Thanks for the info Aaron! – None – 2010-08-17T08:09:30.590

As an alternative to the IE password storage, I recommend the iMacros for Internet Explorer addon: http://www.iopus.com/download/imacros-ie/ - I like it because the macros are simple text files and nothing is stored at strange places in the registry.

iMacros is free and encrypts passwords with 256-bit AES. Similar iMacros extensions are also available for Firefox and Chrome (open source).

Another non-free alternative is Roboform.

Area51

Posted 2010-08-17T07:09:01.317

Reputation: 11