Home

Are my passwords really secure in Edge or Chrome?

%3CLINGO-SUB%20id%3D%22lingo-sub-911128%22%20slang%3D%22en-US%22%3EAre%20my%20passwords%20really%20secure%20in%20Edge%20or%20Chrome%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-911128%22%20slang%3D%22en-US%22%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20692px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F137336i291EB01274EA8E62%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22simpsonpassword.jpg%22%20title%3D%22simpsonpassword.jpg%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EGood%20Morning%3C%2FP%3E%3CP%3E%3CBR%20%2F%3EI%20recently%20cleaned%20up%20all%20Edge-Canary%20settings%2C%20including%20site%20%3CSTRONG%3Eusers%3C%2FSTRONG%3E%20and%20%3CSTRONG%3Epasswords%3C%2FSTRONG%3E.%3CBR%20%2F%3EUsers%20and%20passwords%20information%20saved%20in%20the%20browser%20are%20stored%20in%20a%20file%20called%20%3CSTRONG%3E%22Login%20Data%22%3C%2FSTRONG%3E%2C%20and%20in%20the%20case%20of%20Edge-Canary%20this%20file%20is%20stored%20in%20%3CEM%3EC%3A%5CUsers%5C%25USERNAME%25%5CAppData%5CLocal%5CMicrosoft%5CEdge%20SxS%5CUser%20Data%5CDefault%3C%2FEM%3E%3C%2FP%3E%3CP%3E%3CBR%20%2F%3EIt%20works%20the%20same%20way%20in%20Chrome%2C%20with%20the%20same%20filename%2C%20but%20logically%20in%20a%20different%20location.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EBut%20back%20to%20the%20Edge-Canary%20case%2C%20I%20have%20some%20saved%20system%20images.%3C%2FP%3E%3CP%3ESo%20I%20opened%20one%20of%20these%20images%2C%20located%20the%20%22Login%20Data%22%20file%2C%20and%20copied%20it%20to%20the%20directory%20I%20mentioned%20above.%20And%20the%20passwords%20for%20websites%20that%20had%20been%20deleted%20obviously%20reappeared.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%22Login%20Data%22%20file%20is%20encrypted%2C%20but%20using%20the%20browser%20you%20can%20export%20this%20information%20to%20a%20CSV%20file%2C%20and%20in%20this%20CSV%20file%20passwords%20are%20decrypted.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EMy%20question%20is%3A%20is%20it%20possible%20for%20someone%20to%20hack%20into%20my%20computer%2C%20copy%20my%20%22Login%20Data%22%20file%2C%20paste%20this%20file%20into%20the%20specific%20directory%20on%20his%20computer%2C%20and%20thus%20have%20access%20to%20the%20usernames%20and%20passwords%20I%20use%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-911259%22%20slang%3D%22en-US%22%3ERe%3A%20Are%20my%20passwords%20really%20secure%20in%20Edge%20or%20Chrome%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-911259%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F425212%22%20target%3D%22_blank%22%3E%40IsJustMe_OrIsItGetting%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3E%26gt%3B%20My%20question%20is%3A%20is%20it%20possible%20for%20someone%20to%20hack%20into%20my%20computer%2C%20copy%20my%20%22Login%20Data%22%20file%2C%20paste%20this%20file%20into%20the%20specific%20directory%20on%20his%20computer%2C%20and%20thus%20have%20access%20to%20the%20usernames%20and%20passwords%20I%20use%3F%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3ENo.%20It's%20encrypted%20with%20your%20Windows%20password%3A%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fsecurity.stackexchange.com%2Fquestions%2F44493%2Fvulnerability-of-chromes-login-data-file-after-being-orphaned-from-the-host-s%22%20target%3D%22_self%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3E%3CSPAN%3EVulnerability%20of%20Chrome's%20%E2%80%9CLogin%20Data%E2%80%9D%20file%20after%20being%20orphaned%20from%20the%20host%20system%3C%2FSPAN%3E%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-911272%22%20slang%3D%22en-US%22%3ERe%3A%20Are%20my%20passwords%20really%20secure%20in%20Edge%20or%20Chrome%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-911272%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F63137%22%20target%3D%22_blank%22%3E%40Bruce%20Roberts%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWhen%20someone%20is%20%3CSTRONG%3Eable%20to%20hack%20into%20his%20computer%3C%2FSTRONG%3E%20then%20he%2Fshe%20is%20%3CSTRONG%3Epretty%20much%20able%20to%20crack%20that%20login%20file%20too%2C%20%3C%2FSTRONG%3Esince%20they%20both%20use%20the%20%3CSTRONG%3Esame%20password%3C%2FSTRONG%3E.%26nbsp%3Bthat%20could%20even%20be%20the%20only%20reason%20his%20computer%20would%20be%20hacked.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSTRONG%3EThis%20one%20is%20better%2C%20%3C%2FSTRONG%3Etaken%20from%20the%20same%20topic%20you%20linked%20to%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWindows%20user's%20password.%20This%20means%20that%20%3CSTRONG%3Eevery%20other%20program%20running%20under%20your%20Windows%20user%20is%20able%20to%20decrypt%20the%20login%20data.%3C%2FSTRONG%3E%20In%20fact%2C%20that's%20how%20%3CSTRONG%3Etools%20like%20ChromePass%20and%20ChromePasswordDecryptor%20work.%3C%2FSTRONG%3E%20They%20only%20decrypt%20the%20file%20and%20reveal%20the%20passwords%26nbsp%3Bonly%26nbsp%3Bif%20you%20run%20them%20on%20the%20same%20system%20that%20encrypted%20the%20file%20(or%2C%20perhaps%2C%20provide%20the%20victim's%20Windows%20password).%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Eso%20once%20a%20hacker%20has%20gained%20access%20to%20that%20system%2C%20they%20can%20%3CSTRONG%3Eremotely%3C%2FSTRONG%3E%20run%20those%20programs%20or%20even%20create%20one%20of%20their%20own%20(which%20is%20super%20easy)%20and%20gain%20access%20to%20the%20user's%20password.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAnyway%2C%20the%20OP%20explicitly%20said%20%22s%3CSPAN%3Eomeone%20to%20hack%20into%20my%20computer%22%20%2C%20once%20that%20is%20done%2C%20everything%20else%20is%20like%20drinking%20water%20%3A)%3C%2Fimg%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3E%3CSTRONG%3EBottom%20line%2C%3C%2FSTRONG%3E%20don't%20let%20your%20computer%20be%20hacked%20in%20the%20first%20place%20because%20that%20opens%20the%20door%20to%20everything%20else.%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-911197%22%20slang%3D%22en-US%22%3ERe%3A%20Are%20my%20passwords%20really%20secure%20in%20Edge%20or%20Chrome%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-911197%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F425212%22%20target%3D%22_blank%22%3E%40IsJustMe_OrIsItGetting%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHi%2C%3C%2FP%3E%3CP%3E%3CSTRONG%3EShort%20Answer%3A%20Yes%3C%2FSTRONG%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSTRONG%3ELong%20Answer%3A%3C%2FSTRONG%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIF%20someone%20manages%20to%20%3CSTRONG%3Ehack%20into%20your%20system%3C%2FSTRONG%3E%20and%20gain%20access%20then%20%3CSTRONG%3Ethey%20can%20do%20everything%20you%20can%20do.%3C%2FSTRONG%3E%3C%2FP%3E%3CP%3Ebut%20that's%20a%20Big%20IF.%20browsers%20like%20Chrome%20or%20Edge%20have%20no%20problem%20related%20to%20the%20safety%20of%20the%20passwords%2C%20even%20if%20they%20were%20to%20save%20your%20passwords%20in%20a%20plain%20text%2C%20that%20wouldn't%20be%20much%20of%20an%20issue.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20thing%20you%20should%20be%20worried%20about%20is%20to%20%3CSTRONG%3Eprevent%20hackers%3C%2FSTRONG%3E%20from%20gaining%20access%20to%20your%20system%3CSTRONG%3E%20in%20the%20first%20place.%3C%2FSTRONG%3E%20I%20can%20say%20about%20%3CSTRONG%3E90%25%20of%20the%20time%20it's%20the%20user's%20fault%3C%2FSTRONG%3E%20and%20their%20actions%2Fdecisions.%3C%2FP%3E%3CP%3Ethe%20other%20%3CSTRONG%3E10%25%20could%20be%20related%20to%20the%20installed%20programs%20and%20OS%3C%2FSTRONG%3E%20which%20you%20can%20take%20care%20of%20by%20always%20installing%20the%20latest%20Windows%2010%20version%20and%20keep%20it%20updated%20and%20also%20get%20rid%20of%20the%20unnecessary%20programs%20(to%20reduce%20attack%20surface)%20and%20make%20sure%20they%20are%20always%20updated%20as%20well.%3C%2FP%3E%3CP%3Ethere%20are%20lots%20of%20articles%20about%20Hardening%20the%20OS%20for%20the%20extra%20protection.%20but%20none%20of%20them%20can%20help%20when%20the%20user%20intentionally%2Faccidentally%20compromises%20his%2Fher%20own%20system%20by%20his%2Fher%20actions%2Fdecisions.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-911274%22%20slang%3D%22en-US%22%3ERe%3A%20Are%20my%20passwords%20really%20secure%20in%20Edge%20or%20Chrome%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-911274%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F310193%22%20target%3D%22_blank%22%3E%40HotCakeX%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20was%20answering%20the%20only%20specific%20question%20asked%2C%20about%20taking%20the%20file%20to%20another%20computer.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E(There%20are%20many%20ways%20to%20hack%20into%20a%20computer%20without%20obtaining%20a%20particular%20user's%20password.)%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Deleted
Not applicable

simpsonpassword.jpg

 

Good Morning


I recently cleaned up all Edge-Canary settings, including site users and passwords.
Users and passwords information saved in the browser are stored in a file called "Login Data", and in the case of Edge-Canary this file is stored in C:\Users\%USERNAME%\AppData\Local\Microsoft\Edge SxS\User Data\Default


It works the same way in Chrome, with the same filename, but logically in a different location.

 

But back to the Edge-Canary case, I have some saved system images.

So I opened one of these images, located the "Login Data" file, and copied it to the directory I mentioned above. And the passwords for websites that had been deleted obviously reappeared.

 

"Login Data" file is encrypted, but using the browser you can export this information to a CSV file, and in this CSV file passwords are decrypted.

 

My question is: is it possible for someone to hack into my computer, copy my "Login Data" file, paste this file into the specific directory on his computer, and thus have access to the usernames and passwords I use?

4 Replies
Highlighted

@Deleted 

Hi,

Short Answer: Yes

 

Long Answer:

 

IF someone manages to hack into your system and gain access then they can do everything you can do.

but that's a Big IF. browsers like Chrome or Edge have no problem related to the safety of the passwords, even if they were to save your passwords in a plain text, that wouldn't be much of an issue.

 

The thing you should be worried about is to prevent hackers from gaining access to your system in the first place. I can say about 90% of the time it's the user's fault and their actions/decisions.

the other 10% could be related to the installed programs and OS which you can take care of by always installing the latest Windows 10 version and keep it updated and also get rid of the unnecessary programs (to reduce attack surface) and make sure they are always updated as well.

there are lots of articles about Hardening the OS for the extra protection. but none of them can help when the user intentionally/accidentally compromises his/her own system by his/her actions/decisions.

 

 

Highlighted

@Deleted 

 

> My question is: is it possible for someone to hack into my computer, copy my "Login Data" file, paste this file into the specific directory on his computer, and thus have access to the usernames and passwords I use?

 

No. It's encrypted with your Windows password:

Vulnerability of Chrome's “Login Data” file after being orphaned from the host system

Highlighted

@Bruce Roberts 

 

When someone is able to hack into his computer then he/she is pretty much able to crack that login file too, since they both use the same password. that could even be the only reason his computer would be hacked.

 

This one is better, taken from the same topic you linked to:

 

Windows user's password. This means that every other program running under your Windows user is able to decrypt the login data. In fact, that's how tools like ChromePass and ChromePasswordDecryptor work. They only decrypt the file and reveal the passwords only if you run them on the same system that encrypted the file (or, perhaps, provide the victim's Windows password).

 

so once a hacker has gained access to that system, they can remotely run those programs or even create one of their own (which is super easy) and gain access to the user's password.

 

Anyway, the OP explicitly said "someone to hack into my computer" , once that is done, everything else is like drinking water :)

 

Bottom line, don't let your computer be hacked in the first place because that opens the door to everything else.

Highlighted

@HotCakeX 

 

I was answering the only specific question asked, about taking the file to another computer.

 

(There are many ways to hack into a computer without obtaining a particular user's password.)

Related Conversations