How to Steal Password Saved In Chrome, Firefox & Safari
Google chrome is probably the worst in protecting your passwords since it stores them in plain text and it can be accessed by any user accessing google chrome. Other browsers are storing them with login protection e.g. Firefox supports master password to protect all saved passwords.
There are many security threats related to password strength, password reuse, plain text password storage, password hashing and password encryption. In this article we are not focusing on any of those threats, However we are trying to demonstrate that anyone can see your saved password in any browser very easily by following below simple steps. A pro hacker will not even consider this a hack since its so simple and does not even require special knowledge or understanding of hacking or use of any sophisticated hacking tools.
Let me remind you that the purpose of this tutorial is demonstrate how unsafe your passwords are with browser save password feature. Therefore try to avoid using the password save features if you system can be accessed by untrusted people.
It may happen sometimes when you leave your work computer unlocked for few minutes. Therefore must be a strong reason for leaving your workstation locked when stepping out (even if for few minutes).
Please do not use this technique unethically.
- Open your favorite browser (Lets say Chrome). The below steps are going to work same on Latest versions of Safari, Mozilla Firefox and Google Chrome.
- Go the site that has a username and password saved. (Lets Say http://www.evernote.com )
- Let the browser fill your username & password information.
- Now right click on the password field and select "Inspect Element". This should bring the source of html page.
- Double click on the text type="password"
- Change this to type="text"
- Done - you will be able to see the password in clear text on the browser.
This trick will work on almost all browsers that support developer tools for debugging. If you do not see "Inspect Element" option in right click menu you may try addons like FireBug that can provide it.
The technique we used is very common in web development world for debugging web pages. Though its use for retrieving someone's password is not very common.
A better way to protect your passwords will be to not save if in browsers unless you are sure it will not be accessed by any other person.
In general, saving password in browsers is not a good practice since the encryption level in browsers are not very strong. You may want to choose a dedicated password saving application with strong encryption. Mac Keychain is a very good example of secured password storage since it has good encryption and passwords are not revealed without a master/ admin password.