Please store user passwords in a secured location

Occasional Contributor

Both IE and legacy Edge save passwords in Windows Credentials Manager, but the chromium edge does not. It uses the same way with Chrome to save user passwords in an unsecured location, which is incredibly insecure.

 

It saves encrypted user passwords in %localappdata%\Microsoft\Edge\User Data\Default\Login Data, and the decryption key in %localappdata%\Microsoft\Edge\User Data\Local State. (For Chrome users, just change the Microsoft\Edge to Google\Chrome).

 

Although Edge itself has the functionality which can require authentication before auto-filling/seeing the password, a malware can simply bypass the authentication, and decrypt user passwords with the decryption key saved in Local State using AES, then leak them on the Internet. It means that once the user successfully signs in the computer, any program on the computer can decrypt the password saved by Edge with an ease, which makes the password protection of Edge a no-op!

 

See How to crack Chrome password with Python? | by Yicong | Medium for how to decrypt the password.

 

Please store user passwords in a secured location (for example, switching back to Windows Credentials Manager), so that the decryption process cannot bypass the crypto security provided by the system, such as Windows Hello. 

0 Replies