Tag: SSO

How to Find Hidden & Saved Passwords in Windows 10

For years users have wanted to save time and effort when accessing servers on the network, Web sites requiring credentials, etc. So, there have been options in the operating system to save usernames and passwords for faster and easier access. I am sure you have seen this, either in a prompt or a checkbox, asking you to save the password. In Windows, you have the ability to store the credentials for resources that you access often, or just don’t want to have to remember the password.  Although this is a time-saving option, you might want to reconsider using this feature due to security issues.

Key Holder

Windows stores the passwords that you use to log in, access network shares, or shared devices. All of these passwords are stored in an encrypted format, but some passwords easily are decrypted using your Windows login password.

Windows stores the login credential details in a hidden desktop app named Credential Manager. Here is how to find this app, how to see which credentials are stored by Windows and how to manage them:

What is the Credential Manager?

Credential Manager is the “digital locker” where Windows stores log-in credentials like usernames, passwords, and addresses. This information can be saved by Windows for use on your local computer, on other computers in the same network, servers or internet locations such as websites. This data can be used by Windows itself or by programs like File Explorer, Microsoft Office, Skype, virtualization software and so on. Credentials are split into several categories:

  • Windows Credentials – are used only by Windows and its services. For example, Windows can use these credentials to automatically log you into the shared folders of another computer on your network. It can also store the password of the Homegroup you have joined and uses it automatically each time you access what is being shared in that Homegroup. If you type a wrong log-in credential, Windows remembers it and fails to access what you need. If this happens, you can edit or remove the incorrect credential, as shown in later sections of this article.
  • Certificate-Based Credentials – they are used together with smart-cards, mostly in complex business network environments. Most people will never need to use such credentials and this section is empty on their computers. However, if you want to know more about them, read this article from Microsoft: Guidelines for enabling smart card logon with third-party certification authorities.
  • Generic Credentials – are defined and used by some of the apps you install in Windows so that they get the authorization to use certain resources. Examples of such apps include OneDrive, Slack, Xbox Live, etc.
  • Web Credentials – they represent login information for websites that are stored by Windows, Skype, Internet Explorer or other Microsoft apps. They exist only in Windows 10 and Windows 8.1, but not in Windows 7.

How to open the Credential Manager in Windows:

The method that works the same in all versions of Windows. First, open the Control Panel and then go to “User Accounts  –> Credential Manager.”

Capture-1

You’ll notice there are two categories: Web Credentials and Windows Credentials. The web credentials will have any passwords from sites that you saved while browsing in Internet Explorer or Microsoft Edge. Click on the down arrow and then click on the Show link.

Capture-2

You’ll have to type in your Windows password in order to decrypt the password.

Capture-4

f you click on Windows Credentials, you ’ll see fewer credentials stored here unless you work in a corporate environment. These are credentials when connecting to network shares, different computers on the network, or network devices such as a NAS.

Capture-3

In the same way, I’ll also mention how you can view Google Chrome saved passwords. Basically, each browser has the same feature, so you can do the same thing for Firefox, Safari, etc. In Chrome, click on the three dots at the top right and then click on Settings. Scroll down and then click on Passwords.

Under Passwords, enable Offer to save your web passwords. You can view the saved passwords.

Capture-5

History of the Credential Manager:

According to a 1996 Network Applications Consortium (NAC) study, users in large enterprises spend an average of 44 hours per year performing login tasks to access a set of four applications. The same study revealed that 70 percent of calls to companies’ Help desks were password-reset requests from users who had forgotten a password.

Single sign-on (SSO) is an approach that attempts to reduce the time users spend performing login tasks and the number of passwords users must remember. The Open Group, an international vendor and technology-neutral consortium dedicated to improving business efficiency, defines SSO as the “mechanism whereby a single action of user authentication and authorization can permit a user to access all computers and systems where that user has access permission, without the need to enter multiple passwords”

SSO solutions come in two flavors: solutions that deal with one set of user credentials and solutions that deal with multiple sets of user credentials.

A good example of the first type of solution is a Kerberos authentication protocol-based SSO setup.

A good example of the second type of solution is the Credential Manager. Credential Manager is a new SSO solution that Microsoft offers in Windows Server 2003 and Windows XP. It’s based on a secure client-side credential-caching mechanism.

The Windows 2000 (and earlier) requirement that users must re-enter the same credentials whenever they access resources on the same Internet or intranet server can be frustrating for users, especially when they have more than one set of credentials. Administrators often must cope with the same frustration when they have to switch to alternative credentials to perform administrative tasks. Credential Manager solves these problems.

Conclusion:

Browser-stored passwords make it easy for hackers to get inside your network

allowing a browser to “remember” passwords can pose a major security risk because:

  • Password recovery tools can easily find these passwords.
  • Browsers typically do not use strong encryption for these passwords.
  • Users do not monitor and rarely change these passwords once they store them in their browser.

DO NOT USE THE “REMEMBER PASSWORD” FEATURE ON APPLICATIONS SUCH AS WEB BROWSERS (Google Chrome, Mozilla Firefox, Safari, Internet Explorer etc.)

For IT Admins:

Get your FREE Browser-Stored Password Discovery Tool from Thycotic to quickly and easily identify risky storage of passwords in web browsers among your Active Directory users. You get reports that identify:

  • Top 10 common machines with browser-stored passwords
  • Top 10 common users with browser-stored passwords
  • Top 10 most frequently used websites with browser-stored passwords

The Browser-Stored Password Discovery Tool is free. You can re-run the Browser-Stored Password Discovery Tool at any time to identify browser password risks and help enforce compliance with web browser security policies.

Source: online-tech-tips, digitalcitizen, techgenix,

 

SECURITY+ Acronyms

Acronym

Stands for

3DES Triple Data Encryption Standard
AAA Authentication, Authorization and Accounting
ACL Access Control List
AES Advanced Encryption Standard
AES 256 Advanced Encryption Standards, 256-bit
AH Authentication Header
ARP Address Resolution Protocol
AUP Acceptable Use Policy
BCP Business Continuity Planning
BIOS Basic Input/Output System
BOTS Network Robots
CA Certificate Authority
CCTV Closed-Circuit Television
CERT Computer Emergency Response Team
CHAP Challenge Handshake Authentication Protocol
CIRT Computer Incident Response Team
CRL Certification Revocation List
DAC Discretionary Access Control
DDOS Distributed Denial of Service
DEP Data Execution Prevention
DES Data Encryption Standard
DHCP Dynamic Host Configuration Protocol
DLL Dynamic Link Library
DLP Data Loss Prevention
DMZ Demilitarized Zone
DNS Domain Name Service
DOS Denial Of Service
DRP Disaster Recovery Plan
DSA Digital Signature Algorithm
EAP Extensible Authentication Protocol
ECC Elliptic Curve Cryptography
EFS Encrypted File System
EMI Electromagnetic Interference
ESP Encapsulated Security Payload
FTP File Transfer Protocol
GPU Graphic Processing Unit
GRE Generic Routing Encapsulation
HDD Hard Disk Drive
HIDS Host-Based Intrusion Detection System
HIPS Host-Based Intrusion Prevention System
HMAC Hashed Message Authentication Code
HSM Hardware Security Module
HTTP Hypertext Transfer Protocol
HTTPS Hypertext Transfer Protocol over SSL
HVAC Heating, Ventilation, Air Conditioning
IaaS Infrastructure as a Service
ICMP Internet Control Message Protocol
ID Identification
IKE Internet Key Exchange
IM Internet Messaging
IMAP4 Internet Message Access Protocol v4
IP Internet Protocol
IPSEC Internet Protocol Security
IRC Internet Relay Chat
ISP Internet Service Provider
KDC Key Distribution Center
L2TP Layer 2 Tunneling Protocol
LANMAN Local Area Network Manager
LDAP Lightweight Directory Access Protocol
LEAP Lightweight Extensible Authentication Protocol
MAC Mandatory Access Control / Media Access Control
MAC Message Authentication Code
MBR Master Boot Record
MDS Message Digest 5
MSCHAP Microsoft Challenge Handshake Authentication Protocol
MTU Maximum Transmission Unit
NAC Network Access Control
NAT Network Address Translation
NIDS Network-Based Intrusion Detection System
NIPS Network-Based Intrusion Prevention System
NOS Network Operating System
NTFS New Technology File System
NTLM New Technology LANMAN
NTP Network Time Protocol
OS Operating System
OVAL Open Vulnerability Assessment Language
PAP Password Authentication Protocol
PAT Port Address Translation
PEAP Protected Extensible Authentication Protocol
PGP Pretty Good Privacy
PKI Public Key Infrastructure
PPP Point-to-Point Protocol
PPTP Point-to-Point Tunneling Protocol
PSK Pre-Shared Key
RA Recovery Agent
RADIUS Remote Authentication Dial-in User Server
RAID Redundant Array of Inexpensive Disks
RAS Remote Access Server
RBAC Role Based Access Control
RSA Rivest, Shamir & Adleman
RTP Real-Time Transport Protocol
S/MIME Secure/Multipurpose Internet Mail Extension
SaaS Software as a Service
SCAP Security Content Automation Protocol
SCSi Small Computer System Interface
SDLC Software Development Life Cycle
SDLM Software Development Life Cycle Methodology
SHA Secure Hashing Algorithm
SHTTP Secure Hypertext Transfer Protocol
SIM Subscriber Identity Module
SLA Service Level Agreement
SLE Single Loss Expectancy
SMS Short Message Service
SMTP Simple Mail Transfer Protocol
SNMP Simple Network Management Protocol
SSH Secure Shell
SSL Secure Sockets Layer
SSO Single Sign-On
TACACS Terminal Access Controller Access Control System
TCP/IP Transmission Control Protocol/Internet Protocol
TLS Transport Layer Security
TPM Trusted Platform Module
UAT User Acceptance Testing
UPS Uninterrupted Power Supply
URL Universal Resource Locator
USB Universal Serial Bus
UTP Unshielded Twisted Pair
VLAN Virtual Local Area Network
VoIP Voice Over IP
VPN Virtual Private Network
VTC Video Teleconferencing
WAF Web Application Firewall
WAP Wireless Access Point
WEP Wired Equivalent Privacy
WIDS Wireless Intrusion detection System
WIPS Wireless Intrusion Prevention System
WPA Wireless Protected Access
XSRF Cross-Site request Forgery
XSS Cross-Site Scripting