Using Network Password Recovery to Recover Windows Stored Password

When we covered the new Windows 7 Credential Manager, we denied that you can’t really use it for recovering lost passwords and appreciated the way we thought it did to protect it. However, turns out, there is a free portable tool from NirSoft called Network Password Recovery that can do exactly what we said it can’t, recovering your password stored in Credential Manager. Though not all of them can be recovered, most of them can.

Download the tool and launch it in your windows, and see what’s been revealed.

image

DigitalCitizen has a few security concerns about this. But to me, nothing to scare though, because in order to get to this point where all passwords are shown in front of you in plain text, you need to log on to a machine as a user with administrator privileges, and you will also need to pass the UAC. This is another good example of having a strong password, using a regular account that doesn’t have administrator privileges, and enabling UAC. But if the hard drive that stores all your data including the stored passwords fell into the wrong hand, none of these could help you. The only way to ultimately prevent this is to fully encrypt your drive. Windows 7’s BitLocker is one way but since it’s only available on Ultimate edition or Enterprise, using TrueCrypt becomes the best alternative for those who don’t have BitLocker. We have covered here on how to fully protect your system. And it’s not difficult at all. If you don’t want your data fall into the wrong hand, you have to do it.

Thinking positively, Network Password Recovery can be a very useful tool to recover the password. It recovers the passwords not only stored in current user profile but also other profiles either on the same computer or from external hard drive as well. The latest version has a new Advanced option under File menu that allows you to specify the user profile path that is from the current logon user.

image

It works properly on almost all versions of Windows, except Windows 2000 since it’s the only version that doesn’t save the network passwords.

Let’s dig a bit deeper as to why this tool is able to reveal the passwords that are stored in the credential manager.

The stored credentials are saved in each user profile (see below for detailed path) and are encrypted with the SHA hash with the log-on password. Another words, without that hash, they cannot be decrypted. Noticed that you have to put in the last log-on password from the Advanced Options window above? You need to specify the password along with the profile path in order for this tool to be able to crack and show the stored password.

In XP, the stored password are saved in either of these folders:

%userprofile%\application data\Microsoft\Credentials\<User SID>

%userprofile%\local settings\application data\Microsoft\Credentials\<User SID>

In Windows 7, the stored passwords are saved in either of these folders:

%userprofile%\AppData\Local\Microsoft\Credentials\

%userprofile%\AppData\Roaming\Microsoft\Credentials\

Knowing that, Network Password Recovery is able to pull the information over and decrypted using the known login password and list them in the tool’s interface.

There are still questions as to how the tool is able to know the current login user (maybe it doesn’t and only needs the hash), and why some passwords can be easily decrypted but some others can’t.

If any of you are interested in Credential Manager in Windows 7, both 7Tutorials and us have covered it here and here. So check them out.

Kent Chen

Microsoft MVP, IT Professional, Developer, Geek, and the co-founder of Next of Windows.

Last updated: 10/20/2015

Posted in: Security
Discover more: , ,