Just because you read it on the Internet, does not make it true
I came across a blog entry about Internet Explorer which draws assumptions about how the program stores 'autocompete' passwords that are simply wrong.
Here is the URL:
For whatever reason, the blog's author seems to have come to the incorrect conclusion that because his "password managing program" was able to access and display his stord usernames and passwords that this therefore meant that IE stores autocomplete passwords in "a single flat-file that is unencrypted and can be easily read by a variety of program(s)".
The author's conclusions are incorrect. IE7 DOES encrypt autocomplete data. Yes, there are programs out there that can retrieve the stored data, but reality is the data *is* encrypted, and is *not* in a "flat file" (whatever the heck that means).
IE uses Protected Storage (and later Data Protection API (DPAPI)). To quote a Techet article:
"The Protected Storage service protects storage of sensitive information, such as private keys, and prevents access by unauthorized services, processes, or users. The service provides a set of software libraries that allow applications to retrieve security and other information from personal storage locations as it hides the implementation and details of the storage itself.
The storage location that is provided by this service is secure and protected from modification. The Protected Storage service uses the Hash-Based Message Authentication Code (HMAC) and the Secure Hash Algorithm 1 (SHA1) cryptographic hash function to encrypt the user’s master key. This component requires no configuration."
To give you an idea of how IE stores passwords, have a look at this registry key - yes, that's Protected Storage in action:
To give you an idea of how IE protects sensitive data, have a look at this registry key:
A big difference, yes?
So, to reiterate, yes there are programs out there that can retrieve the encrypted username and password data stored by IE, BUT, the data *IS* encrypted and it is *NOT* a "single flat file".
More information about Protected Storage / DPAPI: