Note: This is an update to my original article
With the release of IE10, Microsoft has changed how Internet Explorer stores passwords. Previously, for versions IE7 through IE9, the browser would store auto-completed passwords in the registry and
HTTP basic authentication passwords in the Windows Credentials Store (aka Vault). As a refresher: Auto-complete passwords are normal website login passwords such as gmail, Facebook, LinkedIn, etc. HTTP basic authentication passwords are network login passwords for LANs, etc.
The encryption method that IE7-IE9 used for storing auto-complete passwords was very difficult to defeat, whereas the Credentials Store was much easier to break into to recover passwords. Therefore I was very surprised to learn that in IE10, Microsoft now stores ALL passwords in the Windows Credentials Store – with no new security measures!
The Windows Credentials Store is only protected with the regular DPAPI, and can be (relatively) easily cracked. All private entries of a user can be found in his profile. By default, the folder
<USER NAME> = user name &
<VAULT_UID> = Vault identifier. By default, the value is: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28.
Each IE10 password entry is in a .vcrd (Vault Credential) file and the encryption key is stored in the same folder.
This moves IE10 into the same league as Google Chrome leaving Mozilla Firefox as the leader in terms of password security (providing you enable a strong Master password).