|
-
October 20th, 2004, 08:33 AM
#31
Stage 1:
I signed up for a free account at nytimes.com, and said yes in both browsers to remember the password.
Observations:
At least Firefox, and probably IE encrypt both the username and the password.
In Firefox's case, I haven't done any exploration of the encryption method. I will get to it later. For starters, it stored everything in c:\Documents and Settings\<username>\Application Data\Mozilla\Firefox\Profiles\aer7j1o6.default\signons.txt. The info it stored appears thusly in the file:
Whatever it is using to salt the encryption algorithm generates a consistent first 45 bytes of data, with only the last 25 bytes variable. Interestingly, I used the password and username the same, but it still provided different encryption results (though it does help to explain the similarities, I would venture). This is definitely not a simple base64_encode(), it is definitely encrypted. How, I am not sure, and am going to save for another day, just like I'm going to save playing with the rest of IE for another day. 
In IE's case, all that is held outside the "Protected System Storage" is the ID for the site, which is stored in:
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Intelliforms\SPW as a DWORD called "8[H=?2N=/5BLV #", or "38 5b 48 3d 3f 32 4e 3d 2f 35 42 4c 56 20 23" in hex.
I'll append more on this when I get the opportunity.
Chris Shepherd
The Nelson-Shepherd cutoff: The point at which you realise someone is an idiot while trying to help them.
\"Well as far as the spelling, I speak fluently both your native languages. Do you even can try spell mine ?\" -- Failed Insult
Is your whole family retarded, or did they just catch it from you?
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|
Reply With Quote