If you have your browser set to save passwords, then it’s possible to go into the browser’s settings to retrieve them. You can also use a free program called WebBrowserPassView from www.nirsoft.net/utils/web_browser_password.html
I’ve used this in the past and wasn’t sure if it would work on modern systems, so I downloaded the latest version and gave it a try.
Go to the site and scroll down to almost the bottom of the page and look for Download WebBrowserPassView (In zip file). Also, take notice of the password. I don’t know if they ever change this but at the time of writing it is: wbpv28821@
Decompress the file and enter the password when prompted.
There is no installation. Once extracted, right-click on the WebBrowserPassView.exe and click on Run as administrator. You might not see any results if you don’t do this.
It should automatically start scanning your system, looking for your browsers, and displaying any saved passwords.
You can save a complete list if you want by going to View (top menu), then HTML Report— either all or only selected passwords. Your choice…
Even though the software is perfectly clean, because of its potential for malicious use, Windows 10 users will likely receive two warnings associated with WebBrowserPassView:
- Almost all antivirus products will block the software from running in which case you’ll need to set WebBrowserPassView as an exception in your resident antivirus
- You’ll also probably receive a Windows popup warning– to run WebBrowserPassView you’ll need to click “More Info” in the popup warning and then click “Run anyway“
The fact that readily available freeware is able to extract encrypted passwords from browsers and display them in plain text so easily is somewhat troubling. Testing with other major browsers revealed the following:
- Firefox: all passwords successfully extracted and listed in plain text, despite being protected with a master password
- Chrome: all passwords successfully extracted and listed in plain text
- Edge: all passwords successfully extracted and listed in plain text
The security implications are obvious. Mind you, anyone with malicious intent would require hands-on access to utilize this software. Also, anyone with hands-on access could easily export saved passwords to a CSV file which can then be viewed in plain text. That said, it shows it can be done and that is always a concern. It also re-enforces the notion that saving passwords within a browser, while convenient, is not ideal and password managers present a far more secure option.
*FURTHER READING: How To Export Saved Passwords From Browsers