Recovering local chrome passwords from dead pc [migrated]

recently my PC died and will not power on. The motherboard had a complete failure. My HDD survived. I have it set up as an external to pull my photos and such. My question comes down to transferring the local passwords I had stored on chrome. I didn’t have a google account sync. But the profiles are still accessible on the old HDD. I want to view my passwords or at least transfer them to my new pc. The older HDD belonged to a win 8.1 pc. I pulled up the Login data sqlite file but when I view it in sql server it says the password value is stored in a blob. Any advice on recovering them would be helpful,a majority of my lifes on there.

Store passwords local with plain text access on WinPE

I have an application that needs to store Network Credentials for a Network Drive/Share on the disk. The user shouldn’t need to enter the password every time. The OS is WinPE, so he cannot map the drive once and it will stay there.

Limitation:

  • I need the password in plain text, to map the drive.
  • The program should work without an additional password that the user has to enter.

Thoughts:

  • Hash + Salt is not reversible, so I cannot get the password in plain text.
  • An encrypted password is not safe, because the program has to store the key. If someone looks inside the code he will get the key and decrypt the password.
  • I cannot use the “Protect Data” interface of windows, because I use WinPE. Protect Data Documentation

The program is written in C#. Maybe someone has a good idea about my problem. Thanks!

Could you store your passwords in a phone app governed by a QR code?

I had an idea a little while back to have an ID card with a QR code on it that you kept in your wallet. When you want to access your passwords (view them directly), you need your ID card and to scan it with your password protected iPhone. This then reveals your desired passwords.

But I’m thinking about it more and it doesn’t seem to offer any extra “security” or protection of your passwords. You have your phone password memorized, so that’s secure. Once you get into your phone and open the customized QR reading password app, you could just have direct access to your passwords right there instead of having the QR code layer. But, say we add the QR code step, of scanning the QR code to get access. Maybe it only works on your phone. So you have your phone password and a QR code protecting your password.

Does something like this offer any extra security? I’m thinking along the lines of n-factor auth and having an actual physical ID card in the mix.

Is having multiple correct passwords for a single username a security problem?

This question occurred to me when using online banking. My wife and I have a joint account. The username to login to internet banking is just our account number, so it is the same for both of us. Nevertheless the bank supplied us with 2 distinct passwords.

If the passwords where only given out by the bank and we would log into the same account this would probably be fine.

But first the bank actually forces us to each choose our own new password. In theory I could choose the same password as my wife and then the system would tell me ‘you can’t use this password because it is already taken’ or something like that so I would have guessed my wifes password. Seems securitywise very shady.

Secondly although we access the same money in the bank account we don’t have the exact same user account in the bank as for some actions the identity of the user is needed (for example ‘please send a new credit card’, should it be for me or for my wife?). The situation of one username combined with one password accesses one user account, the same username with another password accesses a different user account looks to me like a severe breach of security.

Is this actually fine or is the bank using some very sloppy and potentially unsafe programming for their joint accounts?

How are short passwords not safe on the web?

On all web services that require passwords, like gmail, you are asked to set a long password. Like 8 characters or more.

The reason being higher security.

But the same services limit the number of login attempts to 3-4 tries before locking your account and asking for more info. Something which I find very annoying, but that’s another topic.

So how is a short password insecure if they limit log in attempts ? If the pw has 5 characters someone can not try all combinations in just 3 attempts.

Hashing passwords before sending them to the server

when the user tries to log in ,the post request has the password in clear text. even when using HTTPS the server admins can somehow log post requests and get the user password.

I’m looking for a way to prevent the above threats (admins seeing the password, or the password might get stolen in MIM attack) we don’t need to know the actual password because it is used to encrypt stuff on the client side

i have thought about hashing the password using sha256 before sending but the user password might be weak and the hash could be easily found in rainbow tables so it’s pointless.

however i am out of ideas anyone can help me ?

Forcing Users To think up More Complex Passwords / Ease of Remembering Them

Are there any guidelines on the play-off between forcing users to have complex passwords (longer, including numbers and special characters etc) – and the reduction in security if users therefore have to write down these passwords because they can’t remember them ?

To clarify: what I’m thinking about here is where users may have their own preferred (and memorised) set of passwords, but get forced by sites to start making them longer; or adding a number, or sites which just refuse to accept the password unless the site itself deems it strong enough ( hello Google ). So users then have to think of other passwords that fit these particular criteria – which being non standard ones they are then more likely to write down.

So I guess the question is what do users actually do when confronted with a site which tries to force them to use passwords with particular formatting.

Can protonmail access my passwords and hence my secrets?

protonmail provides encrypted “zero-access” encryption mailboxes. The way they explain “zero-access” is, at least for me, similar to zero-knowledge encryption. However protonmail has in its servers my private keys. They say that the keys are encrypted as well, but they also have in their servers my password for that encryption. Therefore, it seems to me that protonmail could at any time access my private keys and my mailbox.

Is this correct, or am I missing something? Is this the reason why they do not call it zero-knowledge encryption?

Keeping passwords in plain text in “value” attribute. Addons can use this for password leaking

Either there is a security hole or I’m missing information about something.

While I was testing how Surfingkeys addon works I’ve noticed that it has command yf to copy form content on current web page. I though about testing it on “Sign In” and “Log In” forms on few websites to see if it would be able to retrieve typed passwords in plain text. It was successful if standardized <form> tags were used.

Then I’ve noticed that in most web applications password is kept in <input value=""> attribute in plain text which to me seems like by-standard security hole for whole W3 stack (HTML, CSS, JS, etc.). If this addon was able to get password from DOM then any addon can do that. The only piece missing is sending that data to server of a 3rd party who are owners of such malicious addon – such situation already had place with Stylish.

So attack scenario looks like this:

  1. Company “mal1c1ous” buys popular web addon.

  2. They add to addon generic <form> parser script which retrieves data from <input value="">.

  3. For each known website they make their addon “decorate” submit buttons with script which on click 1st sends request with credentials to their server and then to host of that website. Or they just send requests each time parser script is able to get new data.

  4. After some time they perform an attack using gathered credentials.

I find that scenario possible show me that it can’t happen. Also my question is: given that is Web security flawed by design?

The thing is that no one discourages from using <input value=""> as a password holder it seems that there is no other option by standard. Web developers can only come up with their own ideas to obfuscate where a password is stored before request is made.