Sunday, November 11, 2007

Recover a lost password from your web browser

If you forgot your web site password, you can restore it from your web browser, provided that the web browser is configured to store passwords, which is normally true. There are plenty of commercial password-recovery-tools out there promising to obtain and decrypt any password from any browser. Before purchasing one, I whant you to know that recovering a web browser password can be done easily and for free. In Mozilla Firefox, simply select Tools -> Options -> Security -> Show passwords.
The following is a brief instruction for browsers which do not show passwords (like IE I suppose). I personally used this approach to recover a password for my online banking service:

  • Install Java Runtime Envioronvent. You can download it here:
  • Download a Burp proxy, which is a free proxy software with an ability to capture and display http(s) traffic:
  • Unpack and run the .bat file there. If you have a firewall on your desktop, allow the java application to access the network in the firewall popup window.
  • In Burp, switch the 'intercept on' button on the proxy -> intercept tab.
  • In your web browser, set proxy to localhost, port 8080. In Mozilla Firefox, for example, this setting is available somewhere in Tools -> Settings -> Other -> Network -> Settings. Check the radio box "manual proxy settings" and enter hostname 'localhost' and port '8080' for both HTTP and SSL connecctions.
  • Goto the login page in you browser and log in. The login form should be captured by Burp proxy.
  • In Burp Proxy window you will see the HTTP request list, from which the one marked with 'POST' is most likely the login request itself. Double-click it. You will see the raw HTTP request, starting with word 'POST' and blah-blah-blah. At the end of the request text there should be the login form data, containing your lost password, like the following:
  • Find the password field there. It should have the name Passwd= or password= or something like that. Whatever follows the '=' up to the '&' is you lost password (in this case, the password in 12345, which is, of course, a faked one :)).
  • Do not forget to restore you proxy settings in your browser :)
Apart of its low cost, the approach has an advantage that it will work with any web browser, as it tries to solve the problem on a network side and does not deal with passwords stored in browsers.