Is there a way to retrieve passwords saved by Windows in cookies?
I just got a new computer, and while I can sign into one site off of my old computer, because of a saved password, I can’t for the life of me remember what that password is, so I can’t sign in from the new computer.
FYI, your saved browser passwords shouldn’t be stored in cookies but in a separate file determined by browser.
The best way to recover saved website passwords depends on the browser. I know it’s possible in Firefox and am reasonably sure you can recover them from IE, but I don’t know about Safari or Opera or Chrome or any of the other browsers.
It’s pretty easy to do in Firefox. Under the ‘Security’ Tab in the Options, there should be a ‘Saved Passwords…’ button you can select that will open up a window with a list of all the websites for which you have saved passwords. There should be an option to reveal the passwords in plain text.
Yeah, websites probably won’t be saving your plain text password in a cookie.
It’s usually some hash value representing your session or password.
If you stored the password in your browser by allowing it to recall it (lots of browsers have this feature), then I guess you probably wouldn’t be asking this question.
Doesn’t the website have a “forgot your password?” recovery feature?
From the OP:
To amplify this, in well-designed websites (well-designed password-using systems in general, in fact) the passwords aren’t saved anywhere, ever: The system computes a hash from the password and stores that; on subsequent uses of the password, the input claiming to be the password is hashed and the new hash is compared to the stored has. If they match, it’s the same password (to an extremely high degree of confidence) and it’s considered a verification.
This is done so nobody can steal the passwords; all they can grab are the hashes, which can only be used to reconstruct possible passwords with a lot of work. Hopefully, the passwords will all be changed by the time that work is complete.
Can’t they also use that hash/cookie to log in as you without knowing your password?
If the OP means passwords stored by browsers there are programs out there that will reveal those. Go to a place like Snapfiles and look in the freeware section.
Then type in IE passwords or Firefox password finder or something and you will get programs to decode the passwords. I once lost the password for a Pop Mail account I had and found a program on Sanpfiles for free to decode the password for that Pop Mail account.
Be warned once you download these programs it may set off your virus detector as it will be considered malware. The program isn’t a virus, but it’s considered as such because it will reveal passwords. But any file from Snapfiles is not a virus or malware.
There are two separate things getting confused here - what Derleth said is correct but not directly related to the OP.
One is the server-side password hashing used in all good login systems. If an attacker obtains the hashes, they can’t be used directly to log in. That’s because the server requires the client to provide the plaintext password at login, not the hash. The attacker would have to use a brute force method to find the plaintext passwords corresponding to each hash.
The other is the client-side token cookie used by most web sites to recognize a user after he has logged in. If an attacker steals these, he probably can use them to impersonate a logged-in user. (Strictly speaking he isn’t logging in as you, just hijacking your session after you logged in - essentially the same as forgetting to log out after using a shared computer).
The latter is the basis for the Firesheep tool, which demonstrates how common the problem is and how hard it is to prevent.
Actually many password recovery programs these days really are malware. Beware.