1
I use Internet Explorer 8 at work. My system is part of a corporate domain.
I am allowed to use personal email. As much as I don't want to, for convenience, I save my username and password so that I don't have to login every single time.
Please be assured that everything possible in my system is backed up and stored on a server. So whatever form the saved data is in, it is available to IT people.
I don't want them to find out my usernames or passwords.
Where does IE8 store my usernames and passwords and how secure is it from (bad) IT people? Can I safely save them knowing that even if they have copies, the encryption (if any) cannot be cracked in a practical amount of time? I do change my password atleast once a month.
I make sure that anything important I login to uses SSL. But still, given the fact that they can virtually backup anything from my system and due to this 'pick and decrypt' thing, are you saying they can see my usernames and passwords if they want to? – None – 2010-08-17T07:22:47.343
1Of course. Also, you're not really safe with SSL while you're connecting through a corporate gateway: they could redirect Google traffic to some intranet server with a page set up to represent original login dialog, then capture your passwords and redirect back to Google; you wouldn't ever notice anything. It's very unlikely that anyone really would do that: there are much easier ways. – whitequark – 2010-08-17T07:28:32.917
Oh okay. Leaving out SSL, if I use IE8 InPrivate mode and DO NOT save usernames or passwords, can my usernames and passwords be found out? I know this is very tough to answer since neither myself nor you fully know exactly what my IT dept has installed/doing with my system. But a chances/probability type of answer will be enough for me to make decisions. For practical purposes, can IE8 InPrivate + SSL offer decent protection from snooping IT people? – None – 2010-08-17T07:32:24.687
By "practical purposes" I assume that there are no 'hacker' utilites like backdoors/keyloggers/etc installed. In this case, yes, private mode and SSL will make your password safe (username is to the left of "@", isn't it?). You should, through, check for remote desktop software as it is very common in corporate environment (I'm almost sure you have one running), and while it cannot be used to recover your password, a remote user can do everything with your mail while you're not looking at the screen. To circumvent that, close the window while you're dining or such. – whitequark – 2010-08-17T07:51:19.507
Okay. Thanks for the heads up on remote desktop. I'd like to know more about the mechanism by which IE8 stores passwords and generally the things that are possible when the system is part of a domain. If you have any at the moment, it will be great if you can post some links where I can read up about these things. – None – 2010-08-17T08:00:49.713
Here's a small guide: http://www.windowsreference.com/internet-explorer/howto-recover-forgotten-passwords-stored-by-internet-explorer-876/
Particularry: "AutoComplete Passwords: These passwords are saved in the following location in the Registry: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\IntelliForms\Storage2 The passwords are encrypted with the URL of the Web sites that asked for the passwords, and thus they can only be recovered if the URLs are stored in the history file."