Where are passwords stored on Android phones? Where to store passwords on iOS and Android? My own experience.

Hello Habr! I am a young developer specializing in Android development and information security. Not so long ago, I wondered: how does Google Chrome store saved user passwords? Analyzing information from the network and files of chrome itself (this article was especially informative), I found certain similarities and differences in the implementation of saving passwords on different platforms, and for demonstration I wrote applications to extract passwords from the Android version of the browser.

How it works?

As we can know from various publications on the network on this topic, Google Chrome on the PC stores the passwords of its users in the following directory:

"C: \ Users \ SomeUser \ AppData \ Local \ Google \ Chrome \ User Data \ Default \" in the file " Login Data".

This file is a SQLite database, and it is quite possible to open and view it. In the table logins we can see the following fields of interest to us: origin_url(Website address), username_value(login), password_value(password). The password is presented in a byte array, and encrypted through a machine key, which is individual for each system. More details can be found in this article. Thus, there is no protection in the Windows client.

Android

But since I am more interested in Android, the Android client of the browser took my attention.

"Opening" the package Google chrome (com.android.chrome), I found that its structure is very similar to that of a PC client, and it was not difficult to find exactly the same database responsible for storing user passwords. The full path to the database is as follows: "/data/data/com.android.chrome/app_chrome/Default/Login Data"... In general, this database is very similar to its "older sister" from the PC version, with only one, but very significant difference - passwords are stored here in clear text. The question arises: is it possible to programmatically extract passwords from the database? The answer was pretty obvious - yes, if your application is rooted.

Implementation

For greater clarity, it was decided to make our own tool for extracting passwords from the browser database.

To describe its work in a nutshell, it works like this:

• Gets root.
• Copies the Chrome database to its own directory.
• Chmod accesses a copy of the database.
• Opens a database, and retrieves information about logins and passwords.

The app has been hosted on Google Play.

Conclusion

As a conclusion from the work done, we can say that if you have root rights, pulling the password database from the browser and sending it to your server is a completely solvable task, and this fact should make you think about whether to trust any application with superuser rights ...

Hope this article was informative. Thank you for your attention!

An active Internet user is forced to enter a huge number of passwords - from social networks, e-mail boxes, online stores, online games. For security reasons, it is recommended to come up with an original password with each new registration, because otherwise an attacker, having gained illegal access to one account, will be able to easily hack others. It is difficult to remember a lot of different logins and passwords, but to write them down in a notebook is unsafe, so the best option to unload memory is to use special programs for storing passwords. It is enough to remember just one, the master password, in order to gain access to all the rest.

Price: Free

LastPass- a well-known cloud service for storing passwords, developed by the company of the same name and available on computer operating systems Linux, Windows, OS X, in the Google Play app stores, AppStore, Microsoft Store, as well as in the form of plugins for major browsers, for example, Mozilla Firefox and Google Chrome. This program not only remembers the identification data, but also manages it: it helps the owner generate a new password, changes the data if it notices a hacking attempt, analyzes the complexity and strength of passwords, and makes sure that the passwords from two different accounts are not the same.

Key benefits of password saving software LastPass should include the following:

1. Two-factor authentication... Most sites require you to enter only a username and password - this is called one-factor authentication. Two-factor prompts the user for additional data (for example, PIN, phone number, fingerprints), which is a guarantee of increased reliability. Well-known portals Twitter, Amazon, Facebook have switched to two-factor authentication, and more recently LastPass. Additional password protection is provided by Google Authenticator and YubiKey.
2. Full and high-quality Russification.
3. Wide functionality. After updating the interface LastPass in 2014 the service was supplemented with a number of useful additional functions. Now, using the application, a user can store documents, use tools for auto-filling forms of online stores, and monitor changes in credit history.

LastPass It is considered a free program for saving passwords, however, to use mobile versions, you need to purchase a premium account, which costs $ 12.

1Password

Price: Free +

Users 1 Password note the simplicity of its use and a very friendly and pleasant interface as important advantages of the program. However, these are the advantages of the program for remembering passwords entered on a computer, 1 Password are not exhausted - there are others:

1. Cross-platform... The program works on Windows, Mac OS, Android, iOS, and also integrates into the most popular browsers like Opera and Firefox. However, such broad integrability is more the norm for password managers than a distinguishing feature.
2. Synchronization... Across Dropbox and iCloud you can open access to the password store to unauthorized users.
3. Reliability... The database is protected by the AES-128 cipher, adopted as a standard by the US Government. Data leak is warned by inline keylogger- a device that records user actions.
4. Generating passwords. If it is necessary to create a new password, the program for generating passwords does not just give out a random set of numbers and letters, but generates a combination corresponding to the parameters previously specified by the user. Such parameters are the number of characters, the presence of numbers and even the pronunciation of the combination.
5. Security auditing capability. The program will check the database for duplicate and weak passwords.

1 Password has the highest rating among peers in the AppStore (4 stars out of 5), however, this software is not without its drawbacks. Program 1 Password quite expensive - iPhone owners will have to part with 5 thousand rubles in order to install the full version. However, even having paid this money, the user will not be able to edit the database on a mobile device.

Dashlane

Price: Free

Password Manager Released in 2012 Dashlane immediately gained worldwide popularity due to its simple high-quality interface, high security and the ability to automatically fill in forms on web pages. By 2016, there were several updates, and the program managed to "grow" with additional functions. What is the difference Dashlane?

1. Two-factor authentication- a sign of the attentive attitude of developers to the reliability of their offspring.
2. Purchase tracking and integration with e-wallets simplify the shopping process through online stores.
3. Accessibility for any device. This program for saving passwords entered on a computer works with both desktop and mobile OS, has a plug-in even for Internet Explorer. Cloud synchronization of several devices on different platforms is possible, but only with the purchase of the Pro version.

Basic application functions Dashlane available for free, the full version will cost almost $ 40 per year. Despite this cost, the application has not yet been Russified - this is the main reason why Dashlane not as popular among domestic users as, say, LastPass.

RoboForm

Price: Free +

RoboForm- the "pioneer" and "long-liver" among password managers. The development of this program began back in 1999, however, to this day, the application is constantly improving and increasing its functionality. Those who believe that the use RoboForm now, in the presence of many worthy competitors - a sign of unhealthy conservatism, they are mistaken, because the program can really offer the user a lot of unique advantages:

1. Versatility... The fact that the password manager works with all major and current operating systems is no surprise. However, how many programs are known that are supported on Symbian, Palm OS, Blackberry OS and even Windows 2003 ? RoboForm – one of those.
2. Mobility... It is not necessary to install RoboForm on a computer or gadget , to use it - thanks to the function RoboForm2 Go, the program can be installed on a USB flash drive and run on public computers.
3. Reliability. Base RoboForm encrypted using the AES-256 standard, which is traditionally used in banking.
4. Ability to create multiple profiles. Different people can use the same program - individual information will be stored in each of the password-protected profiles. This allows you to save money and purchase the paid version of the application "bundle".

The manager can be downloaded for free, but then you will not be able to store more than 10 logins / passwords. To store unlimited amount of data, as well as cloud sync, you need a version RoboForm Everywhere, which costs about $ 20 per year.

As our lives are rapidly digitized, we are literally overgrown with a variety of passwords. And when there are dozens of services, remembering passwords from them is simply unrealistic. You can, of course, use the same password everywhere, but this is very insecure. Lost it - and all the details of your life may go to someone not very friendly. Therefore, it is more correct to come up with different passwords everywhere, and then write them down in a secluded place.

But how to choose this place? To be both convenient and reliable? There are hundreds of options. I will not tell you about all password storage applications. It will take too long because I've tried a lot of things. I'll tell you better about the two that I ended up with.

I've been using this free app on Android for many years. B-Folders... It, unlike many analogs, is really free - there are no restrictions either on the number of fields in the records, or on the number of records themselves. The database is stored in encrypted form, by default, access to it opens after entering a password or pin code (optional). For an additional amount, you can enable fingerprint unlocking (299 rubles).

The developer has been working on the application since 2009 and seems to have foreseen everything. In the settings, you can change the appearance of the application and cards, set the time for forced clearing of the clipboard after you have copied the password into it, enable self-destruction of the database after a certain number of incorrectly entered passwords, etc. etc. The authors' paranoia has reached the point that it is not even possible to take a screenshot in the application - and this, by the way, is absolutely correct.

You can find fault with two things. First, the interface is not localized - everything is in English. There are no problems with Russian names and passwords, and all important inscriptions are duplicated with clear icons. But for some, perhaps it will be a nuisance.

Secondly, there is no option for automatic synchronization of the database with cloud storage. Perhaps this is also done for additional security of the password database. But the latter can be saved as an encrypted file, sent to any cloud (Dropbox, OneDrive, etc.), and from there downloaded to another phone. The procedure takes literally a minute, and all your favorite settings are moved along with the base.

So, probably, only B-Folders would have used, but life forced me to look for a multi-platform solution. So that on Android, and on iOS, and on a computer, you can also spy on especially tricky passwords. I tried everything and ended up settling on ... Kaspersky Password Manager... The application is also free by default, but if you don’t add money, you can store only 15 passwords. If you want more - if you please pay extra. You cannot buy the application forever, the license is valid for a year. But, unfortunately, this is the case for all decent multiplatforms with online synchronization. The only question is the price.

And, oddly enough it sounds, in the case of Kaspersky Password Manager, it can be very different. I had the stupidity to buy a license directly through the App Store, where I was charged 1000 rubles. And on the Kaspersky Lab website the same thing costs only 450 rubles. If you bought a license for Kaspersky Total Security (1990 rubles per year for two computers), then Password Manager will get you a bonus for free.

Since Password Manager has Russian roots, localization is present in full. There are different card formats for websites, apps and personal data, plus there is a separate section for notes. Encrypted, of course. I liked that when you enter a password for a site, its icon is automatically displayed in the menu - it’s easier not to get lost when there are a lot of passwords. Also, if you open the site directly from the application, it will try to substitute the password into the form. It doesn't always work out, because the forms are written oh, how differently. But sometimes it really saves time.

Once entered passwords are stored in the cloud of Kaspersky Lab and are available from any authorized devices. Additional protection is provided by the presence of a master password: that is, it is not enough to enter your account data, you need another one on top. Login to the application by pincode, fingerprint, or - in the case of iPhone X - by the face. There are versions for PC and Mac, but it's probably easier to go there through a browser.

The disadvantages of the product can be attributed only to the lack of the opportunity to buy a lifetime license, somehow it is quieter with it. But it looks like the time for such licenses is running out.

Take care of passwords! Too much can be lost with them. Suffice it to recall hundreds of sufferers who have forgotten the data of their bitcoin wallets :)

Views: 4 540

Password managers are becoming more and more popular. The ability to keep all your passwords in one place is very attractive. With mobile devices, you can have all your passwords at hand at all times without compromising the security of your data. There are tons of password managers out there for PC, Mac, and mobile. Here are the best password manager apps for Android.

aWallet Password Manager
(Downloads: 819)
aWallet is one of those password manager applications that have been used for a long time. The app stores passwords, banking transactions, information, credit card information as well as user data if you need it. There is also built-in search, custom icons, and an auto-lock feature. There is even a built-in password generator so you don't have to worry about it. The password manager covers everything you need, including AES and Blowfish encryption. You can download the app for free or buy the PRO version.

Dashlane
(Downloads: 227)
Dashlane is another app that has been around for a long time. Dashlane offers all the features you need, including support for passwords, credit cards, and other sensitive types of information. The app also supports autocomplete passwords on websites and apps. You can back up locally or using the cloud. 256 bit AES encryption works as expected. You can use most of the features for free, but if you want to use all of the features, you will have to subscribe to a paid subscription. It is one of the most solid password managers for Android.

Enpass password manager
(Downloads: 132)
Enpass is a pretty powerful password manager. It covers all the basic functions, and there are also versions for Mac, PC and Linux. The app also doesn't require a monthly fee, which is a good sign. The app allows you to back up and restore your data, includes 256-bit AES encryption, cross-platform sync, and you can also import data from other password managers to make the transition easier. You will also be able to use auto-complete in Google Chrome if you are using this browser. The app is free to download, a one-time payment of $ 9.99 is enough to unlock all features.

Keepass2Android
(Downloads: 178)
Keepass2Android is one of the most basic password manager apps on this list. Keepass has basic features with which you will be able to back up passwords and the like. However, the app does not offer more elephants of the features of most competitors. The main feature of the application is the completely free open source distribution. The app is based on the Keepassdroid code (another free open source password manager), both apps are compatible with each other.

Keeper
(Downloads: 147)
Keeper is a password manager with many features. The main feature of the application is 256-bit AES encryption and PBKDF2, which certainly help to feel safe. However, the application covers basic functions, includes auto-complete in various applications and websites. Along with passwords, Keeper also includes video and photo vaults where you can store sensitive images or videos. The app also supports fingerprint lock, which is always helpful. You can also sync the app between devices and store your data in the cloud if you want. It's a pretty decent option, although you'll need a subscription to get all the features.

LastPass
(Downloads: 143)
LastPass is on the same track when it comes to password manager for Android. LastPass offers a ton of features, including auto-complete passwords in apps, websites, and individual forms. The app also helps you store photos and audio notes. There are several other, more unique and unusual features, including support for a fingerprint scanner, a password generator, a password audit that will let you know if the password is not strong, the application also provides the ability to use emergency help from a friend or family member. You can use the core of the application for free, but you will need a paid subscription if you want to use all the features. You can also download LastPass Authenticator from Google Play to add factor 2 for added security.

mSecure Password Manager
(Downloads: 72)
mSecure is one of those password managers that has seemingly always been around. However, the app has seen several updates since its inception and the look and feel of the password manager remains relatively modern. In addition, the manager supports basic functions, 256-bit AES encryption, a password generator, and the ability to back up your data to your SD card. The app also has a self-destruct function in case someone makes a mistake with the password too many times. It is a reliable universal password manager, although the lack of a free version may put some users off. We recommend looking at some of the reviews and trying the app.

Password Safe and Manager
(Downloads: 89)
Password Safe and Manager is the sweet spot when it comes to choosing a password manager. This app does not need to be connected, and 256-bit encryption makes you feel relatively secure. The password manager uses Material design which looks really great. You can post passwords, categorize them for easy viewing, and generate new passwords on the fly. In addition, the password manager offers automatic backup functions. And the app offers significantly more options if you buy the PRO version for $ 3.99. It is not the most powerful, but it is a very good application.

RoboForm Password Manager
(Downloads: 205)
RoboForm is a very old app, but it's still one of the best password managers for Android. It does what it should and does it well, and it also offers bookmarks so you can find your most used passwords faster. The app also recognizes new passwords when you create them and log in, a nifty solution. The password manager also supports multi-step logins, which is very convenient. The app works with Chrome and Firefox, even Dolphin Browser. This is a completely free app that works great.

SafeInCloud Password Manager
(Downloads: 145)
SafeInCloud is a cloud based password manager, a very capable manager. It stores all your data in the cloud, with which you can sync any of your devices. The app includes Material Desing, 256-bit AES encryption, supports fingerprint reader, Android Wear, password generator and password strength calculator. You will be able to auto-complete the graphs in some browsers. You can get most of the features with the free version, and the PRO version will cost you a very reasonable 199 pounds.

I've been using the great password storage service LastPass for years and I think it's the best of its kind. However, for the Android platform, this service only offers a paid use case, which is not suitable for everyone. Therefore, in this article, we'll look at how to get your passwords out of LastPass, transfer them to Android, and organize them securely and conveniently.

1. Export passwords from LastPass

It is very easy to extract your passwords from this service, the process only takes a few clicks. To do this, go to the web interface of the service and select the "Export" item in the main menu. After that, you need to specify the name of the file and the location where it is saved on your computer.

2. Converting LastPass passwords to KeePass passwords

To work with passwords on a mobile device, we will use the program. It has clients for almost all platforms, has proven itself well in terms of security, is convenient and free. But before you transfer your passwords to your mobile device, you need to convert them into a form understandable for this program. This feature exists in the desktop version of KeePass.

Install KeePass on your computer and create a new password database using one of your Dropbox folders as the location. Then import the LastPass password file into the password database you created.

3. Keepass2Android

Once your passwords are in a KeePass-friendly form, you can transfer them directly to your mobile device. To do this, it is best to use the Keepass2Android mobile client, which can synchronize the password database via Dropbox. Install this program, and then open the password database you created earlier.

4. Automatic filling of passwords

One of the most handy features of LastPass is the ability to automatically fill in credentials on saved sites. Keepass2Android also has a similar feature, although it is implemented in a slightly different way. The program has a special keyboard with which passwords are entered. It happens in the following way.

1. You open the authorization page in your browser (almost all Android browsers are supported).
2. Use the "Send" menu to forward this page to Keepass2Android. The program finds a password suitable for this page in its database.
3. Then you are prompted to select a keyboard. We select the Keepass2Android option.
4. A special keyboard appears, on which, using special keys, you can enter your username and password for the open page in the required fields in one click.

Now you will have on your mobile gadget a well-protected and synchronized database containing all your passwords. In addition, we get the ability to conveniently enter passwords using a special keyboard, which allows you to very quickly and conveniently enter the sites you need.