IEInternals

A look at Internet Explorer from the inside out. @EricLaw left Microsoft in 2012, but was named an IE MVP in '13 & an IE userAgent (http://useragents.ie) in '14

Forcing Internet Explorer To Forget To Not Remember

Forcing Internet Explorer To Forget To Not Remember

  • Comments 40

All joking aside, last fall, I wrote about the variety of reasons why Internet Explorer might not offer to remember your password on a web form. As I mentioned then, you will not be re-prompted to save your password if you’ve previously declined to store the password for this username on this page by clicking “No” in the prompt:

Clicking No will prevent IE from storing this username/password combination

Internally, this “No” is stored as an entry (“Do not remember any passwords for Username=Eric for url=whatever”) in the Password List. Note: Data is stored as a list because you may have more than one username/password pair for a given page.

Unfortunately, there’s no easy way to reverse your decision if you later change your mind and do want to store the password[1]. Within IE itself, the only way to reset any “Do Not Remember” decision is to wipe all of your previously-stored passwords, for all sites (using the Delete Browsing History feature).

An explanation is in order.

When storing your passwords in the registry, IE doesn’t store the URLs in plaintext. Instead, it creates a registry entry[0] named by the string-serialized SHA-1 hash of the current URL (lowercased, removing query-string and fragment). The entry’s value is the password list, encrypted by the user account's master key[3]. Therefore, the raw URL isn’t stored in the registry, and isn’t really even recoverable[2], due to the nature of hashing. That’s why Delete Browsing History’s option “Preserve Favorites website data” cannot selectively wipe only non-Favorites’ passwords.

The one-way nature of hashing also means that even advanced users cannot easily find the right registry entry to manually delete in order to re-trigger the Remember Password? prompt. To mitigate this difficulty, I’ve put together a trivial utility that allows you to clear the password list for a specified URL. You can try it out by storing some passwords (or refusing to) using the Password AutoComplete test page, and then running this utility.

The IE Remember Password tool allows you to clear the entire password list for a specific URL.

It’s important to understand that this tool doesn’t attempt to edit the individual username/password combinations within the password list if you have more than one for a given page. As I mentioned, the Delete Browsing History feature wipes ALL passwords entries for ALL sites. This tool, in contrast, wipes all password entries for the specified URL only.

Update: Internet Explorer 10 on Windows 8 changes things a bit. On Windows 8 with IE10, IE no longer stores encrypted passwords in the registry; they're stored in the Credential Manager, which you can find by typing Manage Web Credentials in the Start Screen's search box; it'll be in the Settings section. However, this display does not show any of the "No password saved and do not ask" entries, and because those are no longer stored in the old registry key, this utility will not work on Windows 8.

 

-Eric

[0] Under HKCU\Software\Microsoft\Internet Explorer\IntelliForms\Storage2\
[1] In contrast, forcing IE to "forget" a single username/password is simple: Just use the down arrow key and delete key to remove the username from the dropdown list in the username form field.
[2] modulo dictionary attacks.
[3] The DPAPI function CryptProtectData is called to encrypt the salted blob. That API uses the 168bit 3DES algorithm on Windows Vista and earlier; on Win7 and later, it may use 256bit AES.

  • Many sites will inadvertently use a number of different document locations to present login credentials to users.

    An example is trademe.co.nz, on their homepage they have a Login link which is scripted with http://www.trademe.co.nz/Members/Login.aspx in the href value but displays a AJAX popup div on the containing page. So the location url that is stored with site credentials in IE's Password store is different depending upon which page on the site that they click the Login link.

    Third party Form Fillers or other browsers which use the form action uri as the key and not the window.location uri can handle this and will present autocomplete information regardless of the hosting page's location uri. Now I know there are security reasons for this behavior in IE and accept that it is the safer form autocomplete model.

    The problem is to educate developers to use design patterns that are safe and accomodate IE's more secure achitecture. A common problem I am seeing is that sites will deploy the Facebook api and also offer a Facebook login prompt on their sites.

    Here is a Answers thread about the issue. http://social.answers.microsoft.com/Forums/en/InternetExplorer/thread/a003fe96-8f64-4d4f-a1cd-a0d6291529b1

    Regards.

  • Your IERememberPassword utility is a welcomed tool and will very helpful to IE8 users. Thanks, Eric!

  • Eric, I see in one of my customer's machine that the hashed values were stored in a location called "storage1" in the registry.

    How does IE determine where to store the values? Will this tool work even if the location is "storage1"?

  • @Sriranga: The Storage1 key is used for non-password AutoComplete-- for instance, the values that you type in a normal text box that isn't a part of a login form. Only the Storage2 key is used for username/password storage.

  • Thanks for the clarification Eric. One more question -  Will IE remember passwords even if the form has more than 2 elements in it? Say, for example, it has username/some id/password and a captcha text. Will it store the username/password pair in the registry?

  • Did a repro at my machine for the above problem.

    Just posting here as information for other users:

    IE will not prompt to remember passwords if the form has more than 2 fields. One more entry to your 'variety of reasons'?

  • @Sriranga: It's already there: Case #4, which used to break Facebook.com before they fixed it.

  • Your utility is very slick, it did just what I wanted it to.

  • Thanks, just what I was hunting for. I screwed up at some point, being a developer i run the same url over and over and couldn't get it to remember. This is what I needed to make typing my password over and over and over.

  • This is awsome - a tool that should be part of IE Simple and works great.

    thank you for sharing it!

  • Thank you so much for your blog! It's so helpful!

  • Can you then think of any other reason besides making a "do not remember this page's passwords" entry in the passwords list? Ever since trying to update the previously stored passord for this particular page, it will now no longer offer the option of saving its password/login info. (This is after clearing all passwords in history and closing and reopening IE, rebooting PC, etc, etc.) I have one persistant page that simply will not be remembered again and your tool indicates that nothing is saved for it in the list. I am seeing everything return to work correctly on other URLs.

  • @WhtRULknAt: Is the URL in question public? If not, can you email me a SAZ File (using Fiddler) so I can look at the page?  thanks!

  • I am running IE9 on a Windows 7 machine.  It  is having the same problem as everyone else.  I downloaded and ran your utility.  It found the password in the target URL and erased it, but the web site is still not prompting to remember the password.  When I run your utility now, it says there is no password saved.  Do you have any idea how I can get IE9 to prompt to save the password?  

  • @JMM: Without a URL, I can't help you.

Page 1 of 3 (40 items) 123
Leave a Comment
  • Please add 6 and 3 and type the answer here:
  • Post