2005-11-02

Retrieving Stored Web Passwords

The other day I needed to retrieve a stored password from a form that had moved. I was eventually able to do it with a very simple bookmarklet. Let's pretend this is your password field:

Username: 
Password: 

If you click here, you should see an alert with the value whatever is in the password field.

No big deal. However, if the password was automatically filled in by your password manager, this trick still works. If someone else is using your computer and wants to retrieve your stored password, they merely have to concoct a simple bookmarklet to retrieve it:

javascript:alert(document.formName.passwordInputName.value)

This seems to be a bug/feature of all of the major browsers (I tested it in recent versions of Safari, Firefox and Win IE). It's probably quite tricky to fix without breaking a significant minority of sites. I guess the moral of the story is don't store any really valuable passwords in your browser's password manager.

You can even create a generic Password Retriever bookmarklet that pops up (one after the other) the name and value of all password fields on any web page, including, of course, those populated by the browser's password manager.

Update: Here's an even simpler version: it just changes the type attribute of all password inputs to "text", so the password shows up on screen without any annoying alert boxes.

1 Comments:

At 8:18 PM, Blogger Frank said...

After a bit of googling, I see that there are one or two well-know password-retrieval bookmarklets out there. Still, it doesn't seem like most of the web-surfing public is aware that such a thing exists. I pretend to know about this stuff and I didn't realize it until recently.

 

Post a Comment

<< Home