In the last three articles in my series on stored passwords, I mainly discussed Windows-related passwords. Today, I will focus on saved Internet Explorer passwords.
The two types of saved Internet Explorer passwords
I already mentioned in my post about the Windows Vault that some saved Internet Explorer passwords can be managed with the Credential Manager. These are HTTP authentication passwords, that is, passwords that are used to authenticate against a Web server (Internet Information Server, Apache, etc.). Passwords that are used to log on to a Web site with an HTML form (through a content management system) are not stored in the Windows Vault.
You can make out the difference between these two authentication forms easily. HTTP authentication always prompts a separate dialog window in Internet Explorer where you have to enter the credentials. HTML authentication is usually integrated within the Web page. This also makes clear why these passwords are not stored in the Window Vault.
Internet Explorer uses its auto-complete feature to manage passwords that you have to enter in HTML forms. The advantage is that you can use different accounts for a specific Web site. You just have to start typing the user name, and Internet Explorer will fill out the form fields for the user name and the password automatically.
Manually disable Internet Explorer saved passwords
As mentioned in my last posts, storing passwords always poses a risk, especially if you use functions integrated in Windows. If your organization values security above all, then you should consider disabling Internet Explorer saved passwords.
Users can turn off this feature themselves if they don’t want to be bothered by the AutoComplete feature. In Internet Explorer 8, you will find the AutoComplete settings in the Content Tab under Tools | Internet Options.
Disable Internet Explored saved passwords with Group Policy
If you don’t trust your users in these matters, you might want to disable Internet Explorer saved passwords network-wide with Group Policy. The name of the GPO settings is “Turn on the auto-complete feature for user names and passwords on forms.” You can find it under User Configuration | Administrative Templates | Windows Components | Internet Explorer. You have to disable this setting if you want to disallow Internet Explorer saved passwords.
If you just don’t want new passwords to be saved and allow users to be able to still use old credentials, you can enable this GPO setting and leave the “Prompt me to save passwords” option unchecked.
Notice that you can’t pre-configure these settings with the Group Policy Preferences because the Content tab is missing here. These security relevant settings should be enforced with policies.
Delete saved Internet Explorer passwords
Notice that disabling saved Internet Explorer passwords won’t delete the passwords. If you change the GPO setting to “not configured” again, then users will be able to use their old stored passwords. Users can delete saved Internet Explorer passwords at the General tab in Internet Options by deleting the corresponding Browsing History.
Saved Internet Explorer passwords storage location
If you don’t want to rely on your users, then you can delete all saved Internet Explorer passwords with a script. Windows stores the Internet Explorer password in the Registry under HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\IntelliForms.
Recover saved Internet Explorer passwords
Of course, the Internet Explorer passwords are encrypted in the Registry. However, it is not a big deal to recover these passwords with third-party tools. This can be useful if a user forgot the password and can’t log on after you disabled Internet Explorer saved passwords. A good free tool to recover saved Internet Explorer passwords is IE Passview. Of course, you can’t recover the passwords with this tool if you already deleted the stored passwords in the Registry.