Finding passwords in cookies

Is there any way of finding a password that is saved in a cookie? It would be sufficient to move the cookie onto another computer if I could find it. Can that be done?

Most passwords aren’t saved in cookies*

But yes you can move cookie files over between computers - though AFAIK every browser stores its cookies in a different location, so you also have to use the same browser, or at least a compatible version of that browser. I’ve not tried it myself, but firefox for example stores its data in a very simple format that should be easy to copy.

  • ETA: usually, websites just put a simple random number in the cookie, and store any associated data on the server instead of the user’s computer. The upshot is that effectively, using that cookie will give you access, but all the sensitive data isn’t stored and transmitted all over the web.

ETA2: if you want to see what’s in your cookies, firefox at least has an option for that in the privacy section.

I believe there are two different situations here:

  1. Sites like MyYahoo! where you log on and tell the site “keep me logged on for X days” - in that case, I think that there is no password stored on your system, just a cookie telling Yahoo! “the login will expire on this date”


  1. Browsers (like any modern browser) that give you the option to save an entered password for a particular website - in that case the browser will save the password in a file of its own, separate from any of your cookies, and the file that your browser uses to save passwords will be encrypted. Situation 2 is what the OP is asking about, right? The answer would be different for every browser.

In my experience, hashes are far more common than just random numbers. Less overhead, since you can just hash some known info rather than having to store random numbers and the associated user account for x days.

I work with web security software. With our stuff the only time the password goes down the wire is on the POST request. That is, when you’ve filled in your userid and password and click ‘submit’. If the authentication is successful a cookie is created for the session. Part of the cookie contents is the IP address of the machine that started the session. If the cookie is intercepted and used on a different machine it won’t work because the server verifies the incoming request IP against the IP in the cookie. If they don’t match the request is rejected. The contents of the cookies are encrypted and hashed as well to protect them from manipulation.

If I’m not mistaken, he was talking about a session ID, not hashing the clear text contents of the cookie.

kferr has the best answer but there are a few older sites that have very lax security. Or even put the password in the URL. The problem with this is that people tend to use the same password for everything. So if you have one password, you have them all.

This is why it’s best to make sure any site that uses money, like paying your credit cards or bank statements, always use a different password from your normal one

I should have made the question clearer. This is a VPN password to my office. I have the UID correct (I tested that) and I was sure I remembered the password. But when I installed it on a new computer the UID and password were refused (with no indication where the problem is, but since the UID is correct, it can only be the password). Yes, I can get the password from my office, but it would be a nuisance. But I guess I will.