Forty-two percent of the passwords used lowercase letters from “a to z”; only 6 percent mixed alpha-numeric and other characters.

Many of the top 20 passwords used were Spanish names, such as Alejandra and Alberto, suggesting that the victims were in Spanish-speaking communities. Nearly 2,000 of the passwords were only six characters long. The longest password was 30 characters — lafaroleratropezoooooooooooooo.

The 10,000 passwords and user names, believed to be booty from a phishing attack, were posted over the weekend to the clipboard site PasteBin. The site owner has since removed the list, but Bogdan Calin of Acunetix grabbed the passwords before it disappeared.

The list included only online account addresses that began with “A” or “B,” suggesting that the list was only part of a larger cache of credentials. On Tuesday, the BBC reported that it had viewed a second list of more than 20,000 account credentials that included Gmail, Yahoo and AOL accounts, and that Google had uncovered a third list containing an unknown number of accounts.

Some of the accounts on the list of 20,000 names the BBC saw appeared to be old, unused or fake, though many were genuine. The list also included Comcast and Earthlink accounts.

Both Google and Microsoft, which own Gmail and Hotmail, MSN and Live.com respectively, have taken measures to block use of the exposed accounts until the legitimate users can reset their passwords.

source: wired.com

Like other browsers Chrome also has built-in login password manager functionality which keeps track of the login secrets of all visited websites. Whenever user logins to any website, he/she will be prompted to save the credentials for later use and if user chooses so, then the username & passwords will be stored in internal login database. So next time onwards whenever user visits that website, he/she will be automatically logged in using these stored credentials which saves hassle of entering the credentails every time.

ChromePasswordDecryptor is standalone application which does not require any installation and can be directly executed after copying to local system.

* Launch the ChromePasswordDecryptor on the system.
* By default it will automatically display the default chrome profile path for current user. However you can change the path using the ‘browse’ button besides it.
* Then you can click on ‘Show’ button to decrypt and display all the stored login secrets from Chrome.
* Next you can click on ‘Export’ button to save all the secrets to standard HTML file.
Download chromepassworddecryptor

via Google Operating System

A good password has the problem of being difficult to remember. And sometimes you might need to get in to a system where the root password is long forgotten (or left with the system administrator before you).
Luckily there are ways of getting access to systems without having the password. This is of course in a sense also a security risk. That’s why you should always be aware that having unattended physical access to a computer system means the same as having root access to the operating system. Unless the information on a system is encrypted, it’s only as save as the room it’s in.

The method to use to reset the password if you lost the root (or only) password depends on the configuration of your system. But it mostly comes down to two separate tasks:

- get write access to the root partition

- change the password/circumvent control

Here are some things you can try from easy to more complicated.

1.booting into single user mode from the start menu

Some systems are configured to drop you into root shell without a password if you reboot them in single user mode. If your system has an option called single or recovery mode changes are it will drop you directly to the root prompt or as I know ubuntu does it serves up a menu with ‘drop to root shell prompt’ as an option. Sometimes you have to hit escape at startup to enter the boot menu.
Once in the root shell it’s as easy as typing passwd followed by your username and the passwd program will ask you for the new password. passwd without a name will change the root password.
If you don’t know the username anymore you can do

#cat /etc/ passwd this prints the password text file where every entry before the : is a valid username

or

#ls /home which will give you the username of the users on the system with a home directory (if the default home path is used)

If you have a system which has this boot option and you think this is just a to obvious security risk (don’t want your little sister to change your root password) you can easily remove this option by editing the file /boot/grub/menu.lst (if you use the grub boot loader) or /etc/lilo.conf (if you use lilo)
If you use Ubuntu you can set passwords for the menu options in the startup-manager from the administration menu security tab or remove the option in the advanced tab.
Grub and Lilo both have password options
to password protect grub create a md5 hash of your password ( #/sbin/grub-md5-crypt ) and edit the file /boot/grub/grub.conf add below the line timeout the following line:

password –md5 password-hash-here

grub configuration should be user root group root and 600 permissions.

to password protect boot menu entries just enter lock below the title line in the /boot/grub/menu.lst file

for protecting lilo edit the /etc/lilo.conf file before the first image stanza place the option

password=clear-text-password

2. booting into single user mode when there’s no menu entry at startup

If there’s no single or recovery option in the boot menu you can still boot into single mode by editing the startup entry. To do this in grub, while in the menu press ‘e’ this will let you edit the menu entries. Just append single to the line starting with kernel. press ‘b’ and the system will boot into single mode.
If your boot manager is Lilo you can pass Linux 1 or Linux emergency as boot parameters.
This approach won’t help you on all systems because many systems will ask you for the root password when booting into single user mode.(Debian does)

3. boot to root shell by using shell as init

If the single user mode has been disabled or is password protected just press ‘e’ in the grub boot menu and add init=/bin/bash (or any other shell executable) to the kernel line. Press ‘b’ to boot and you’ll get a root shell because the init process is replaced with bash while booting. This gives you a rather limited shell but it’s good enough, depending on your system configuration you might have to mount the root partition read/write before you can change the password. Do this by entering

#mount -no remount,rw /

After that you can use passwd again as in previous examples.

If your startup manager is Lilo you can give the boot parameters Linux init=/bin/bash

4. boot from alternative file system

This method is much less likely to be available as it requires some kind of “alternative file system” to be available. If you have non-root access and there is a writable partition (/tmp for instance) and you can place a linux file system relative to that partition for instance by downloading a minimal linux distro and unpacking it you can then give the root= option to grub and set the partition where you placed your own file system as root file system.
Executing the mount command will show the available partitions and how they are mounted. This will only work in very specific circumstances though.

5. boot from a bootable usb stick

If you have no way to access single user mode from the boot menu, or if your single user mode is password protected, you can still use an alternative boot medium. Many systems these days provide a boot option for booting from a usb stick. This is actually a very easy method. The access of boot sequence menu differs by system, most systems display a text like press esc to enter boot menu or something like that. Sometimes the system is already configured to try booting from removable medium first. Many systems also allow changing the boot sequence from the bios. Just change the boot sequence of the system to boot from usb or choose that option from the boot menu. This does require you to have a boot-able usb stick of course. There are many ways to make a usb stick boot-able one of them is described in my article about backtrack, which makes a great distro to use for this purpose by the way. Just boot from the usb device, and open a root shell. The next thing you have to do is find out which is the root partition. Use fdisk to list the available partitions:

#fdisk -l

This will show the disks available.
You can mount them with the mount command. First create a directory mkdir /newdir or mount the partition on an existing directory. Then mount the partition you think is the root.

#mount -o,rw /dev/hda1 /newdir

if mount complaints you have to specify partition type, you find the type as a letter/number combination where it says Id. To show a list of partition type name/Id combinations use /sbin/sfdisk -T

in this case use mount with -t option:

#mount -o,rw -t ext3 /dev/hda1 /newdir

check if it’s the right one with ls:

#ls /newdir (should list a root filesytem)

if it is the wrong partition, just do umount /newdir to unmount it and redo the previous steps with another partition from the list.

If it is the right partition use chroot:

#chroot /newdir

this will make the newdir your root dir

and then enter passwd to change the root password and reboot your system.

6. boot from CD

This is basically the same as option 5 but requires you to have a Linux live-cd or rescue-cd. Most linux installation cd’s double as recovery cd’s by giving you a rescue option at boot or some drop to root shell menu option anywhere in the process. You do need to have a cd/dvd player installed to use this option. The method is exactly the same as in option 5. There are a lot more systems that allow booting from cd/dvd (most older pc’s do) than from usb this makes it a more viable approach.

7. boot from network

Difficult to do in many cases, but if you have access to the bios or the system is already configured to try booting from the network, and you have a system which you can configure as a boot server, it’s more or less the same story as 5 and 6. Boot the system into a OS where you have root access and mount the disk, chroot and you are in.

If you can’t access the BIOS to change the boot sequence because it’s password protected, try searching Google for the master password for your BIOS. Or you can try removing the BIOS battery the BIOS battery is located on the motherboard and is there to keep the BIOS memory as the power is taken of the system. Unplug the system, remove the battery and wait for about 120 seconds. Be warned this will flush all BIOS information (configuration) most systems will boot fine when you reload default BIOS settings (not all). Some motherboards have jumpers for resetting BIOS, if you have the motherboard manual you can look it up. Laptops are sometimes equipped with security features which make flushing BIOS impossible or even render the system completely useless when trying to reset BIOS.

8. place an extra disk in the machine

In most cases the BIOS will auto-detect a new disk, so if you place a new disk containing a boot-able OS and make it the master and the old disk slave, you can make the system boot from the new disk.

9. remove the disk and place it in another machine

If you can’t do any of the above you can always take out the disk and place it in another Linux system. Than you can mount it, chroot to the disk and again use passwd to change the root password. Place back the disk and start the machine.

10. Try to gain root trough known vulnerabilities

If the system has been running for a long time (or not running) without anyone maintaining it, there’s a change it’s running a vulnerable service. This would probably take a lot of time to do. Try fingerprinting the system for running network services that have not been security patched. If there is a easy root exploit to run against the machine it might be possible to get in this way.

Securing your system

Securing yourself against all these options is very difficult. You can remove all removable medium drives, CD/DVD, diskette, fill your usb ports with glue, passwords on everything. The only real protection is encrypted disks on every device you can’t keep in a secure environment. If someone gains unattended physical access to your systems they have access to your data.

What you can do is make it very difficult, secure access to your computers as much as you think is appropriate considering the sensitivity of your data. When it comes to mobile devices, laptops netbooks and the like you should carefully consider what would happen if it gets lost or stolen and someone has access to all your data. Very good Encryption programs are freely available for Linux and you can even choose to encrypt your whole system, in some distributions this is an install option.

Think there is more to try? Easier ways? Think there are better ways to protect against it? Mistakes? Leave a comment. It can take a while before comments are published(different time zone)

• Internet Explorer 4.00 – 6.00: The passwords are stored in a secret location in the Registry known as the “Protected Storage”.
  The base key of the Protected Storage is located under the following key:
  “HKEY_CURRENT_USER\Software\Microsoft\Protected Storage System Provider”.
  You can browse the above key in the Registry Editor (RegEdit), but you won’t be able to watch the passwords, because they are encrypted.
  Also, this key cannot easily moved from one computer to another, like you do with regular Registry keys.

• Internet Explorer 7.00 – 8.00: The new versions of Internet Explorer stores the passwords in 2 different locations.
  AutoComplete passwords are stored in the Registry under HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\IntelliForms\Storage2.
  HTTP Authentication passwords are stored in the Credentials file under Documents and Settings\Application Data\Microsoft\Credentials , together with login passwords of LAN computers and other passwords.

  IE PassView can be used to recover these passwords.

• Firefox: The passwords are stored in one of the following filenames: signons.txt, signons2.txt, and signons3.txt (depends on Firefox version)
  These password files are located inside the profile folder of Firefox, in [Windows Profile]\Application Data\Mozilla\Firefox\Profiles\[Profile Name]
  Also, key3.db, located in the same folder, is used for encryption/decription of the passwords.
• Google Chrome Web browser: The passwords are stored in [Windows Profile]\Local Settings\Application Data\Google\Chrome\User Data\Default\Web Data
  (This filename is SQLite database which contains encrypted passwords and other stuff)
• Opera: The passwords are stored in wand.dat filename, located under [Windows Profile]\Application Data\Opera\Opera\profile
• Outlook Express (All Versions): The POP3/SMTP/IMAP passwords Outlook Express are also stored in the Protected Storage, like the passwords of old versions of Internet Explorer.
• Outlook 98/2000: Old versions of Outlook stored the POP3/SMTP/IMAP passwords in the Protected Storage, like the passwords of old versions of Internet Explorer.

  Both Mail PassView and Protected Storage PassView utilities can recover these passwords.

• Outlook 2002-2008: All new versions of Outlook store the passwords in the same Registry key of the account settings.
  The accounts are stored in the Registry under HKEY_CURRENT_USER\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\[Profile Name]\9375CFF0413111d3B88A00104B2A6676\[Account Index]
  If you use Outlook to connect an account on Exchange server, the password is stored in the Credentials file, together with login passwords of LAN computers.

• Windows Live Mail: All account settings, including the encrypted passwords, are stored in [Windows Profile]\Local Settings\Application Data\Microsoft\Windows Live Mail\[Account Name]
  The account filename is an xml file with .oeaccount extension.
• ThunderBird: The password file is located under [Windows Profile]\Application Data\Thunderbird\Profiles\[Profile Name]
  You should search a filename with .s extension.
• Google Talk: All account settings, including the encrypted passwords, are stored in the Registry under HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts\[Account Name]
• Google Desktop: Email passwords are stored in the Registry under HKEY_CURRENT_USER\Software\Google\Google Desktop\Mailboxes\[Account Name]
• MSN/Windows Messenger version 6.x and below: The passwords are stored in one of the following locations:
  1. Registry Key: HKEY_CURRENT_USER\Software\Microsoft\MSNMessenger
  2. Registry Key: HKEY_CURRENT_USER\Software\Microsoft\MessengerService
  3. In the Credentials file, with entry named as “Passport.Net\\*”. (Only when the OS is XP or more)
• MSN Messenger version 7.x: The passwords are stored under HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL\Creds\[Account Name]
• Windows Live Messenger version 8.x/9.x: The passwords are stored in the Credentials file, with entry name begins with “WindowsLive:name=”.
• Yahoo Messenger 6.x: The password is stored in the Registry, under HKEY_CURRENT_USER\Software\Yahoo\Pager
  (”EOptions string” value)
• Yahoo Messenger 7.5 or later: The password is stored in the Registry, under HKEY_CURRENT_USER\Software\Yahoo\Pager – “ETS” value.
  The value stored in “ETS” value cannot be recovered back to the original password.
• AIM Pro: The passwords are stored in the Registry, under HKEY_CURRENT_USER\Software\AIM\AIMPRO\[Account Name]
• AIM 6.x: The passwords are stored in the Registry, under HKEY_CURRENT_USER\Software\America Online\AIM6\Passwords
• ICQ Lite 4.x/5.x/2003: The passwords are stored in the Registry, under HKEY_CURRENT_USER\Software\Mirabilis\ICQ\NewOwners\[ICQ Number]
  (MainLocation value)
• ICQ 6.x: The password hash is stored in [Windows Profile]\Application Data\ICQ\[User Name]\Owner.mdb (Access Database)
  (The password hash cannot be recovered back to the original password)
• Digsby: The main password of Digsby is stored in [Windows Profile]\Application Data\Digsby\digsby.dat
  All other passwords are stored in Digsby servers.
• PaltalkScene: The passwords are stored in the Registry, under HKEY_CURRENT_USER\Software\Paltalk\[Account Name].

1 ] Go to any site that allows you to sign in ex. webmail.pair.com

2 ] Enter your fake username. Enter a false (incorrect) password

3 ] Allow Chrome to save password ( It will prompt below the address bar)

4 ] Close Chrome

5 ] Locate and change directory using the command prompt to the path below

%:\Documents and Settings\%user name%\Local Settings\Application Data\Google\Chrome\User Data\Default\Current Session ( Path might be different in Vista )

6 ] Note that the “Current Session” file needs to be present in your
“\Application Data\Google\Chrome\User Data\Default\” directory

7 ] Type this command in cmd : find “&secret” “Current Session”

8 ] You can see that its stored in clear text.
example:
C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\C
hrome\User Data\Default>find “&secret” “Current Session”

---------- CURRENT SESSION
login_username=FakeUser&secretkey=FakePass&x=18&y=8B

Need to secure your usb drive? Click Here!

Let’s start at the top and work our way down. Any time a password is saved, you’re first prompted with the save password bar.

In Chrome, this object is called PasswordManager. This object is responsible for a lot of stuff, but what we really care about is what happens when you click “Save Password”.

When you click the save button, it calls the following function:

Again, pretty straight forward. The first two items will log information for debugging purposes and aren’t compiled in release mode. It then checks if it is adding a new password or updating an existing one. For the purposes of this tutorial, let’s look at adding a new password.

Most of this function is debug code. What we care about is the call to AddLogin. The WebDataService object is responsible for meta data associated with a web page.

Now we’re getting a little more complicated. Adding a password is done asynchronously and this function handles scheduling that task. It seemed to be very important that nothing interrupt Chrome’s user interface – this keeps it feeling fast and responsive. Now let’s take a look at what happens when this task is run.

We’re almost at the heart of it all. The important call here is AddLogin, so let’s dive into that.

We’ve finally reached the end of the line. This function actually builds the SQL statement for adding a new password to Chrome’s SQLite database. Of course, the password isn’t stored in plain text so Chrome has an Encryptor object responsible for encrypting the password first. Let’s take a look at that.

The important piece here is CryptProtectData, which is a Windows API function for encrypting data. Data encrypted with this function is pretty solid. It can only be decrypted on the same machine and by the same user that encrypted it in the first place.

So what’d we learn by investigating Chrome’s password management system? Well, we learned that Google uses SQLite as the storage mechanism for passwords and other web page related data. We also see that Google has done a great job extracting Windows specific code from the cross-platform stuff. The only Windows specific code here is the encryption function, which can easily be ported by creating a different Encryptor object for each OS.

Credits to: http://blog.paranoidferret.com

Open your Google Chrome browser, click on the Wrench icon in the upper right corner of the screen, then click Options.

In the Options window click the Minor Tweaks tab.

Make sure that “Offer to save passwords” is selected.



On the Passwords window select the website from which you want to retrieve the password, then click the “Show Password” button. The password will appear below the button and the button will now read “Hide Password.”