Forcing Internet Explorer To Forget To Not Remember

All joking aside, last fall, I wrote about the variety of reasons why Internet Explorer might not offer to remember your password on a web form. As I mentioned then, you will not be re-prompted to save your password if you’ve previously declined to store the password for this username on this page by clicking “No” in the prompt:

Clicking No will prevent IE from storing this username/password combination

Internally, this “No” is stored as an entry (“Do not remember any passwords for Username=Eric for url =whatever”) in the Password List. Note: Data is stored as a list because you may have more than one username/password pair for a given page.

Unfortunately, there’s no easy way to reverse your decision if you later change your mind and do want to store the password[1]. Within IE itself, the only way to reset any “Do Not Remember” decision is to wipe all of your previously-stored passwords, for all sites (using the Delete Browsing History feature).

An explanation is in order.

When storing your passwords in the registry, IE doesn’t store the URLs in plaintext. Instead, it creates a registry entry[0] named by the string-serialized SHA-1 hash of the current URL (lowercased, removing query-string and fragment). The entry’s value is the password list, encrypted by the user account's master key[3]. Therefore, the raw URL isn’t stored in the registry, and isn’t really even recoverable[2], due to the nature of hashing. That’s why Delete Browsing History’s option “Preserve Favorites website data” cannot selectively wipe only non-Favorites’ passwords.

The one-way nature of hashing also means that even advanced users cannot easily find the right registry entry to manually delete in order to re-trigger the Remember Password? prompt. To mitigate this difficulty, I’ve put together a trivial utility that allows you to clear the password list for a specified URL. You can try it out by storing some passwords (or refusing to) using the Password AutoComplete test page, and then running this utility.

The IE Remember Password tool allows you to clear the entire password list for a specific URL.

It’s important to understand that this tool doesn’t attempt to edit the individual username/password combinations within the password list if you have more than one for a given page. As I mentioned, the Delete Browsing History feature wipes ALL passwords entries for ALL sites. This tool, in contrast, wipes all password entries for the specified URL only.

Update: Internet Explorer 10 on Windows 8 changes things a bit. On Windows 8 with IE10, IE no longer stores encrypted passwords in the registry; they're stored in the Credential Manager, which you can find by typing Manage Web Credentials in the Start Screen's search box; it'll be in the Settings section. However, this display does not show any of the "No password saved and do not ask" entries, and because those are no longer stored in the old registry key, this utility will not work on Windows 8.

 

-Eric

[0] Under HKCU\Software\Microsoft\Internet Explorer\IntelliForms\Storage2\
[1] In contrast, forcing IE to "forget" a single username/password is simple: Just use the down arrow key and delete key to remove the username from the dropdown list in the username form field.
[2] modulo dictionary attacks.
[3] The DPAPI function CryptProtectData is called to encrypt the salted blob. That API uses the 168bit 3DES algorithm on Windows Vista and earlier; on Win7 and later, it may use 256bit AES.