Why You Should Never Store Passwords in Web Browsers by@grantcollins

Why You Should Never Store Passwords in Web Browsers

image
Grant Collins HackerNoon profile picture

Grant Collins

An I.T. nerd who wants to think he is good at cybersecurity but really is just a script kiddie.

In a bid to not always have to type in your Passwords, you take Google’s option of storing them in your web browser. But is it safe?

Learn more from the video below.

Watch the Video

https://www.youtube.com/watch?v=yBy2H6VZqpA&ab_channel=GrantCollins

00:00

all right so have you ever been up on a

00:01

website such as the one right in front

00:03

of me

00:04

and you're on your browser and you have

00:06

the option to save your password

00:08

now this is a very standard thing to do

00:09

just go ahead and click save and move

00:11

forward although it may be

00:13

a standard practice it is not the most

00:14

secure way to store your passwords

00:16

so in today's video i'm going to show

00:18

you why it is that you should never

00:20

store your passwords in

00:21

browser through a couple of

00:22

demonstrations and then after that i'm

00:24

going to quickly overview

00:25

some solutions that you can use to

00:27

tackle this

00:28

problem before i get started with demo

00:30

one allow me to overview the scope of

00:32

attack and target devices

00:33

so for double one i will be overviewing

00:35

and running a simple python script to

00:37

capture passwords through the google

00:38

chrome browser

00:39

because google chrome browser has the

00:41

majority share in the browser market and

00:43

windows has the lead in the os wars i

00:45

will be using both

00:46

services to conduct my attack demo for

00:48

number two i will be switching up things

00:50

moving over to my home lab environment

00:52

which is running an ubuntu 1804 desktop

00:54

lts version this environment i have a

00:56

post exploitation tool

00:58

installed to capture passwords this time

01:00

the scope is mozilla firefox as my

01:02

browser in

01:03

linux as my os now let's just talk about

01:05

some general limitations to each of

01:07

these attacks first off both demos

01:08

require a scenario where the attacker

01:10

has full remote or physical access

01:13

with correct privileges to the target

01:14

machine also they both require

01:16

python 2.7 or 3.8 to be installed to use

01:20

the python script or

01:21

post exploitation tool alright so with

01:23

this behind us let's get into

01:25

demo number one

01:26

[Music]

01:30

all right so for the first demonstration

01:32

this is a bit outdated

01:34

all you need is a remote access to a

01:36

windows machine as well as python

01:38

installed so with that being said let's

01:40

go ahead and transition over to my

01:42

screen here

01:43

in front of me i have a virtual

01:45

connection to my home lab which is

01:46

running a virtual machine

01:48

specifically windows 10 home edition

01:51

now this virtual machine has the latest

01:53

version of google chrome installed

01:55

and it has python 3.8 installed so for

01:58

the first technique

01:59

it is a python script which allows you

02:01

to get the username and

02:03

password in front of me i have a python

02:05

script which i pulled off

02:07

from an online article link in the

02:09

description below as well on the side of

02:10

the screen

02:11

full credit goes to this author i made

02:13

just a couple of edits for my specific

02:16

use case

02:16

up until chrome 79 you could get all the

02:18

passwords and usernames

02:20

and to do this all you had to do was go

02:22

to the folder location where chrome

02:25

stores its passwords

02:26

get the website url the value in the

02:29

password value

02:30

right here from the sql database and

02:33

then you could iterate through

02:34

the lines and get the password so i'm

02:37

gonna go ahead and

02:38

run this in my case and you're gonna see

02:41

two things

02:42

the first thing is a tuple and we're

02:44

gonna go over that in a moment but the

02:45

second thing

02:46

is an error from chrome 80 and up google

02:49

made a patch or changed their method of

02:52

storing the password

02:53

which no longer allows you to unencrypt

02:56

the password

02:57

in this case it's a bit outdated if you

02:58

were to find a machine

03:00

say in chrome 79 you could go ahead and

03:02

use this method the first

03:04

bit of output is a tuple and in this

03:06

case

03:07

we can locate both the websites as well

03:11

as the

03:11

username so we have both of those things

03:14

and then as you can see here we have an

03:16

encrypted password which we don't have

03:19

access

03:20

to now you do have to have a saved

03:22

password in google chrome which i went

03:24

ahead and saved

03:25

and there you go you can get the website

03:28

as well

03:28

as the username it's not very

03:31

sophisticated anymore it's outdated but

03:33

if it is up to chrome 79 you can go

03:35

ahead and do this

03:36

method now let's get on to demonstration

03:39

number two

03:45

all right for the second demonstration

03:46

we're going to be quickly reviewing the

03:48

post

03:48

exploitation tool in this case it's

03:50

called laziness target is going to be

03:52

firefox

03:52

and the linux operating system now here

03:55

in front of me we see a github

03:56

page and it's an overview of the lazane

03:59

tool you can go ahead and install it for

04:01

linux mac or

04:02

windows and we're going to be using the

04:04

linux in this case

04:06

now zane is a post exploitation tool

04:08

which allows you to extract passwords

04:11

from various types of systems including

04:13

browsers and wi-fi

04:14

in this case the scope is browsers in a

04:17

real world scenario once you would have

04:18

access to

04:20

the machine you'd go ahead and install

04:22

the zane on here

04:23

and then you could go ahead and extract

04:25

the passwords while zane is already

04:26

installed on

04:27

this environment it is very easy to

04:30

extract the passwords

04:31

from whatever browser it goes through a

04:33

lot of browsers here in front of me i

04:35

have a journal session open

04:36

and i'm going to go ahead and launch the

04:39

lazane tool

04:40

using python

04:47

i'm going to be using the browsers

04:49

option so in front of me once i hit

04:50

enter

04:51

we are going to see that the passwords

04:54

have been found

04:55

now in this case what i've done is i

04:58

went ahead and saved a couple passwords

05:00

to uh the browser firefox and as you can

05:03

see we have the url

05:05

login and the password so there you go

05:08

zing is a very easy tool to use once you

05:11

have gained access

05:12

to the remote systems all right so with

05:14

these two demonstrations behind us

05:17

what can you do to really remediate or

05:20

i guess protect yourself against an

05:22

attack like this one but let's go ahead

05:24

and overview a solution that i propose

05:27

[Music]

05:28

[Applause]

05:32

first off i wouldn't save your passwords

05:35

to your browser now the limitation to

05:37

this entire attack is that

05:39

the attacker is already gonna have to

05:41

have access

05:42

to your machine which that could be

05:44

remotely or

05:45

physical so that is the big limitation

05:47

to this attack what i would recommend

05:48

you do is look into a password

05:51

management solution now there's all

05:53

types of password management solutions

05:54

out there

05:55

you have locally hosted ones such as

05:57

keepass you can even locally host your

05:59

own

06:00

password manager on your home network or

06:02

you can look into

06:04

something that's a little bit more

06:05

convenient such as third-party

06:08

cloud hosted password managers one

06:10

password

06:11

i highly recommend lastpass there is all

06:13

types of password managers out there

06:15

that's what i would recommend that you

06:17

do

06:17

instead of entering the limitation of

06:20

chrome

06:21

firefox or any of the popular browsers

06:23

which only have your password saved to

06:25

that specific

06:26

browser i would recommend looking into a

06:29

password management solution

06:31

alright so that's it for today's video

06:33

hopefully that you have learned

06:34

something new

06:35

i just thought that this was a very

06:36

interesting topic to just overview

06:38

really quickly

06:39

and you know maybe suggest a password

06:41

management solution

06:42

if you've enjoyed uh please consider

06:45

liking the video which would help me

06:47

and yeah until the next time have a good

06:49

day


Grant Collins HackerNoon profile picture
by Grant Collins @grantcollins.An I.T. nerd who wants to think he is good at cybersecurity but really is just a script kiddie.
Read my stories

Comments

Signup or Login to Join the Discussion

Tags

Related Stories