Forcing Internet Explorer To Forget To Not Remember


All joking aside, last fall, I wrote about the variety of reasons why Internet Explorer might not offer to remember your password on a web form. As I mentioned then, you will not be re-prompted to save your password if you’ve previously declined to store the password for this username on this page by clicking “No” in the prompt:

Clicking No will prevent IE from storing this username/password combination

Internally, this “No” is stored as an entry (“Do not remember any passwords for Username=Eric for url=whatever”) in the Password List. Note: Data is stored as a list because you may have more than one username/password pair for a given page.

Unfortunately, there’s no easy way to reverse your decision if you later change your mind and do want to store the password[1]. Within IE itself, the only way to reset any “Do Not Remember” decision is to wipe all of your previously-stored passwords, for all sites (using the Delete Browsing History feature).

An explanation is in order.

When storing your passwords in the registry, IE doesn’t store the URLs in plaintext. Instead, it creates a registry entry[0] named by the string-serialized SHA-1 hash of the current URL (lowercased, removing query-string and fragment). The entry’s value is the password list, encrypted by the user account’s master key[3]. Therefore, the raw URL isn’t stored in the registry, and isn’t really even recoverable[2], due to the nature of hashing. That’s why Delete Browsing History’s option “Preserve Favorites website data” cannot selectively wipe only non-Favorites’ passwords.

The one-way nature of hashing also means that even advanced users cannot easily find the right registry entry to manually delete in order to re-trigger the Remember Password? prompt. To mitigate this difficulty, I’ve put together a trivial utility that allows you to clear the password list for a specified URL. You can try it out by storing some passwords (or refusing to) using the Password AutoComplete test page, and then running this utility.

The IE Remember Password tool allows you to clear the entire password list for a specific URL.

It’s important to understand that this tool doesn’t attempt to edit the individual username/password combinations within the password list if you have more than one for a given page. As I mentioned, the Delete Browsing History feature wipes ALL passwords entries for ALL sites. This tool, in contrast, wipes all password entries for the specified URL only.

Update: Internet Explorer 10 on Windows 8 changes things a bit. On Windows 8 with IE10, IE no longer stores encrypted passwords in the registry; they’re stored in the Credential Manager, which you can find by typing Manage Web Credentials in the Start Screen’s search box; it’ll be in the Settings section. However, this display does not show any of the “No password saved and do not ask” entries, and because those are no longer stored in the old registry key, this utility will not work on Windows 8.

 

-Eric

[0] Under HKCU\Software\Microsoft\Internet Explorer\IntelliForms\Storage2\
[1] In contrast, forcing IE to “forget” a single username/password is simple: Just use the down arrow key and delete key to remove the username from the dropdown list in the username form field.
[2] modulo dictionary attacks.
[3] The DPAPI function CryptProtectData is called to encrypt the salted blob. That API uses the 168bit 3DES algorithm on Windows Vista and earlier; on Win7 and later, it may use 256bit AES.

Comments (42)

  1. Rob^_^ says:

    Many sites will inadvertently use a number of different document locations to present login credentials to users.

    An example is trademe.co.nz, on their homepage they have a Login link which is scripted with http://www.trademe.co.nz/Members/Login.aspx in the href value but displays a AJAX popup div on the containing page. So the location url that is stored with site credentials in IE’s Password store is different depending upon which page on the site that they click the Login link.

    Third party Form Fillers or other browsers which use the form action uri as the key and not the window.location uri can handle this and will present autocomplete information regardless of the hosting page’s location uri. Now I know there are security reasons for this behavior in IE and accept that it is the safer form autocomplete model.

    The problem is to educate developers to use design patterns that are safe and accomodate IE’s more secure achitecture. A common problem I am seeing is that sites will deploy the Facebook api and also offer a Facebook login prompt on their sites.

    Here is a Answers thread about the issue. http://social.answers.microsoft.com/Forums/en/InternetExplorer/thread/a003fe96-8f64-4d4f-a1cd-a0d6291529b1

    Regards.

  2. Robear Dyer, MS MVP says:

    Your IERememberPassword utility is a welcomed tool and will very helpful to IE8 users. Thanks, Eric!

  3. Sriranga says:

    Eric, I see in one of my customer’s machine that the hashed values were stored in a location called "storage1" in the registry.

    How does IE determine where to store the values? Will this tool work even if the location is "storage1"?

  4. EricLaw [MSFT] says:

    @Sriranga: The Storage1 key is used for non-password AutoComplete– for instance, the values that you type in a normal text box that isn’t a part of a login form. Only the Storage2 key is used for username/password storage.

  5. Sriranga says:

    Thanks for the clarification Eric. One more question –  Will IE remember passwords even if the form has more than 2 elements in it? Say, for example, it has username/some id/password and a captcha text. Will it store the username/password pair in the registry?

  6. Sriranga says:

    Did a repro at my machine for the above problem.

    Just posting here as information for other users:

    IE will not prompt to remember passwords if the form has more than 2 fields. One more entry to your ‘variety of reasons’?

  7. @Sriranga: It’s already there: Case #4, which used to break Facebook.com before they fixed it.

  8. RVParkGuy says:

    Your utility is very slick, it did just what I wanted it to.

  9. RocketMonkey says:

    Thanks, just what I was hunting for. I screwed up at some point, being a developer i run the same url over and over and couldn't get it to remember. This is what I needed to make typing my password over and over and over.

  10. Dan Brennan says:

    This is awsome – a tool that should be part of IE Simple and works great.

    thank you for sharing it!

  11. Brianne says:

    Thank you so much for your blog! It's so helpful!

  12. WhtRULknAt says:

    Can you then think of any other reason besides making a "do not remember this page's passwords" entry in the passwords list? Ever since trying to update the previously stored passord for this particular page, it will now no longer offer the option of saving its password/login info. (This is after clearing all passwords in history and closing and reopening IE, rebooting PC, etc, etc.) I have one persistant page that simply will not be remembered again and your tool indicates that nothing is saved for it in the list. I am seeing everything return to work correctly on other URLs.

  13. @WhtRULknAt: Is the URL in question public? If not, can you email me a SAZ File (using Fiddler) so I can look at the page?  thanks!

  14. JMM says:

    I am running IE9 on a Windows 7 machine.  It  is having the same problem as everyone else.  I downloaded and ran your utility.  It found the password in the target URL and erased it, but the web site is still not prompting to remember the password.  When I run your utility now, it says there is no password saved.  Do you have any idea how I can get IE9 to prompt to save the password?  

  15. @JMM: Without a URL, I can't help you.

  16. ScottM says:

    Eric, I am having the same issue – I wiped the password data associated with this URL:  secure.ecollege.com/…/index.learn

    But now it does not prompt me to remember the login id and password fields.  How can I now reset the "remember" feature?

  17. Bob says:

    suh-WEET!  Thanks, it worked wonderfully!

  18. StevoAUST says:

    Legend!  Many thanks; this was driving me crazy!

  19. Matt says:

    Is there really no way to get to the "No password saved and do not ask" entries in IE 10 on Win 8?

    Thanks.

  20. EricLaw [MSFT] says:

    @Matt: There's no UI I've found for this. There's likely a way to get this data by calling a Credential Vault API, but I'm not an expert on that topic.

  21. Cho says:

    Hi Eric,  I input this URL 'http://www.ejfq.com/…/login.htm& and got 'No passwords were found for URL hash: 71D29B6AC18E6822AAB837F11A9AEBD3B1F698A2FE.' from your cute program. However, I still can not have IE8 to remember the input ID/PW which worked before until I checked for 'Don't offer to remember……..' prompt. Many thanks.

  22. Ken says:

    I used your utility to fix error #6 with IE9 using VISTA Home Basic and it found no entered password on my ATT/Yahoo opening page.  I still have to "sign-in" on the generic Yahoo/ATT entry page to access my Yahoo/ATT home page.  I'm unclear as to what I should do next.  Do I really need to delete all passwords stored on my PC?

    Thanks!

  23. @ken: If the utility didn't fix this for you, you're not encountering problem #6 from my other post, and deleting your passwords is unlikely to help you.

  24. John says:

    Hey Eric,  Doing some testing and ran into a snag similar to some of the other comments.

    Using the test site http://www.debugtheweb.com/…/passwordautocomplete.asp

    I put in a username and password, submitted and told it to save the password.

    Next, used the tool and cleared the entry.  

    Now when I go to the site and enter a username/password then submit, the prompt to save the password appears on the screen for just a second (not long enough for me to go from submitt to yes).

    Any ideas?

    Win 7 Machine with IE 9.

    Thanks

  25. EricLaw [MSFT] says:

    @John: Typically, the "password save prompt appears but then quickly disappears" means that the login in question redirected from one domain to another.

    Does the prompt in question stay around if you start with this page: http://www.fiddler2.com/…/passwordautocomplete.asp

  26. Clank46 says:

    Great little utility – "does exactly what it says on the box". Many thanks Eric

  27. CJD says:

    Thanks. Worked perfectly. I had accidently hit "do not remember" on my most commonly changed and used site. You've made life easy again.

  28. Dan says:

    Worked great. Extremely useful little utility. Thanks!

  29. cahill says:

    theirs one more thing that can cause the auto complete to not work and that's a third party program that turns it off.  i just wish i could figure which one it was lol  

  30. atanga says:

    hi help please my ie 10 in windows 8 doesn't ask me to save passwords although autocomplete password is properly configured.. how can i make ie 10 to remember password when i go to a password form

  31. aravinda says:

    hi EricLaw

    Internet Explorer 10 Autocomplete would not prompt to save passwords fror some websites…Why?

    for yahoo mail it prompts to save the password when using IE 10 in windows 8 professional.. But for certain websites like gmail it wont prompt to save passwords.. How can i fix this issue .. Any help please…

    Thanx and regards

    Aravinda

  32. niley says:

    This happened me on Win7/IE9, and the utility didn't fix it for me, buuuut…I typed in a username and password I knew to be incorrect, and it asked me to save that, I left the notification bar there, (not clicking yes or no), and the website redirected me again to the login page with a "bad password" message ( as expected), I entered the correct login details, pressed login, THEN clicked "yes" on the notification bar, and next time i went to the page the password was saved. This wont work if the URL it redirects you to is different than the original login page, but in my instance is was the same, it might help some people.

    EricLaw: I can't think of any reason that would help, but thanks for sharing it.

  33. Arend says:

    Thanks, your IERememberPassword utility worked great for me!

  34. solaide says:

    I tried this on ie 9 windows 7. I have deleted all browsing history and tried loggin in to hotmail.com IE will still not ask me to save passwords.

    I have set my autocomplete settings in IE to enable autocomplete for forms and checked also for usernames and passwords. I have enabled inline autocomplete too in the advanced ie settings tab page.

    Stuff like this breed frustration with Microsoft products.

  35. Dave says:

    Seems to work well on IE9.  Thanks very much! Great utility!

  36. Felim Doyle says:

    Thanks Eric!

    That's a huge improvement on clearing the entire stored password history using the Delete Browsing History option. Your tool is a reasonable work-around for an age-old problem to which Microsoft should have produced a solution a long time ago. Maybe something like holding down a key combination while clicking to submit the username and password could be used to force the save password dialogue box to re-appear.

    Regards

    Félim

  37. Johnny says:

    This URL: http://www.videoblocks.com/login won't prompt me to remember passwords even after running your cute tool. Could you advise on how to get that back?

    [EricLaw] This page didn't prompt you to store your password to begin with, because the password field has an autocomplete=off attribute. Fortunately, you'll find that IE11 puts you in control and offers to remember this site's password anyway.

  38. Oliver says:

    Hi Eric, can you advise if the site singapore.merimen.com/…/index.cfm is also facing the same problem as Johnny, ie http://www.videoblocks.com/login? My PC on IE11 is fine, but not the rest of the pcs running IE9. Any workaround other than upgrading to IE11? Many thanks!

    [EricLaw] The page in question sets the autocomplete=off attribute to disable autocomplete. As explained in the post linked to atop this one, only IE11 ignores that attribute on login fields.

  39. lindak91@hotmail.com says:

    I clicked the "Remember this Password" box and now I have changed my mind and do NOT want this option.  I changed my password, but my computer keeps remembering whatever I set as a new password and I do NOT want it to.  Please advise.

    [EricLaw] In some versions of Windows, you can delete passwords using the Manage Web Credentials tool which you can find by searching your Start Menu or control panel. In others, you can delete a password by clicking into a username text box on the web page, clicking the down arrow to see the list of saved logins, then hit DELETE with the unwanted login username selected. If worst comes to worst, you can delete all saved credentials using Tools > Delete Browser History.

  40. K says:

    im interested in seeing what form autocomplete data (rather than passwords) is stored on my machine, is it possible to extend your utility to decrypt and list those entries (not passwords)? thanks!

    p.s. i believe in Win 8 or might be more to do with IE version, the registry location of interest has changed to HKEY_CURRENT_USERSoftwareMicrosoftInternet ExplorerIntelliFormsFormData

  41. John says:

    The utility did not effect a solution for me personally, but I am very grateful that EricLaw studied this very bothersome problem and made the effort to create a solution that apparently works for people. It's nice to see someone recognizes the problem and took time to help people.

    In my case, on IE 10, I previously selected 'no' and that was it. I never was offered to remember it again. I selected no because I know how tricky IE is with passwords and wasn't certain that the one I was entering was correct. Once I was certain that it was, I was given no option to store it again.

    It seems to me to be a foolish and antagonistic design. I don't understand why something like this wasn't corrected. The MS forums are of no help because, as usual, many people state the problem in detail, and the moderators on those forums reply with 'read this tome' or link to utterly unrelated pages. Which I presume is the cordial protocol instead of telling the user they are screwed.

    Many thanks again; I appreciate the effort. Be blessed.

  42. Lacey says:

    I just used the IERememberPassword tool for the website I was trying to save a password for and it fixed my problem.  It may seem like a little thing, but it was driving me CRAZY to not be able to save my password.  It is a very long password and how my office has security set up, I have to log in about ten times or more a day.  This fixed my problem and I am so so grateful.  Thank you!