Join 3,561 readers in helping fund MetaFilter (Hide)


Safari Password Recovery
January 16, 2011 12:09 PM   Subscribe

Safari Password Recovery - I want to recover login information from a site I used on Safari on OS X 10.4.

There is a site I would like to be able to access from another machine.

[caveat]I have an old Sawtooth PowerPC, so an OS X upgrade is out of the question.[caveat]

There is a password protected site I used to visit on the Mac, using various versions of Safari under OS 10.4. They will be changing site addresses soon, which breaks the stored credentials. I would like to be able to see the site at the new address, but I suspect the password is stored in a cookie, as I can find nothing about the site using Keychain Access. I would just recover/change the password via the site, but I cannot access my account information, due to the domain change underway, and I no longer have access to the email account I used on the site. Also, it is, ahem, an invite only site, so that's out too.

I've not dug my paws deeply enough into cookies on the Mac to know where to look or much about cookie storage via Safari. I would try XMarks, but it is not available for 10.4.

Any suggestions, oh Mac-savvier group mind?
posted by Samizdata to Computers & Internet (13 answers total)
 
Which version of Safari are you using?

Here are some instructions on how to view the contents of Safari cookies, but the info may not apply to your older version:

http://kb.iu.edu/data/amhi.html
posted by mosk at 12:21 PM on January 16, 2011


Safari version is 4.1.3. He may be old, but I try to keep him as up to date as possible.
posted by Samizdata at 12:26 PM on January 16, 2011


I might as well not dance around it.

The site is Demonoid.
posted by Samizdata at 12:28 PM on January 16, 2011


It's probably in Safari's form-autofill database, which is encrypted by a key stored in Keychan Access. Poking around Safari's preferences, I don't see a way to list your stored autofill info, though.
posted by hattifattener at 12:58 PM on January 16, 2011


You can view your cookies as described in mosk's link, but the cookie is unlikely to have your password in it. Storing your password in the cookie such that you could look at it means that someone else could also look at it, either by looking at your computer or by intercepting any http request your browser sent to the site. Instead, the typical solution is to use the password to authenticate you, but then store some sort of hash in the cookie so that the site can check that you're using that cookie, but nobody can use the information from the cookie to log in as you. Small chance that the username will be visible in the cookie, but almost no chance you can get the password from it. Sorry.
posted by JiBB at 1:12 PM on January 16, 2011


Oh, I forgot about Autofill, because I don't use it for passwords. Was your situation that when you went to the site you were logged in? In that case, things were done with cookies, and like I said above, you probably can't get the password from them. If it was that when you went to the site Safari filled in the username and password for you, you could then hit "log on," and go about your business, then Safari is recording your password (encrypted) somewhere, and there's probably some way to find it.
posted by JiBB at 1:25 PM on January 16, 2011


It is being logged in when I visit the site.

Well, poo. Trying to get an invitation there can really suck. I got in a while back during an open weekend.
posted by Samizdata at 1:30 PM on January 16, 2011


This is a little advanced, how much do you want it? Also, I only have Safari 5 available to me, so you might have to adjust a bit.

The Goal: use the Safari JavaScript debugger to get the value of the password field. OS X secures password fields so that you can't copy from them, but in JS it's perfectly legal to just ask for the value.

1) you need to enable Developer menu. You just go to Preferences -> "Show Develop menu in menu bar". I think this works the same way in Safari 4 as it does in 5, although you may have to restart to see the new menu item.

2) go to your webpage. Let it load and autofill.

3) enable the web inspector. Go to "Develop" -> "Show Web Inspector". You should get a new tool popup at the bottom of the page.

4) enable the Scripts tab. Select it and "Only enable for this session".

5) enable the console. There's a couple icons at the bottom left, one of which should be a greater-than symbol with some lines. Click on that to get the console (hovering over it might also show a tooltip saying something about the console). If it worked you should get a new pane with a "> " and a flashing cursor.

5) get the password! Type in:

document.getElementById('password').value

Hit return and it should print your password in quotes. It might be javascript escaped if you have any special characters. For example, a single '\' in the password will be '\\'. A double quote ('"') will be '\"'.

Note: I know the element ID is 'password' because I went to Demonoid and looked it up for you. You can right click on the password box and do 'inspect element' to see its HTML directly and what it's ID is. Not every password field has an ID, so on other sites you might need to be more clever. For example, if it only has a NAME that is 'funny_password' then the code might be:

document.getElemementsByName('funny_password')[0].value

That's because an ID must be unique in a document but a NAME can appear multiple times. So the getElementsByName returns an array and we choose the first array item and get its value.
posted by sbutler at 2:56 PM on January 16, 2011


Even easier: download Safari Cookie Cutter, and rename the demonoid.com uid and uhsh cookies to demonoid.me. Then you can log in to the new website…
posted by Pinback at 3:03 PM on January 16, 2011


Pinback: that's assuming that the password is actually stored in a cookie and not just being autofilled by the Safari database. Or that login sessions that are valid for the old site remain valid on the new site.

I don't think most modern sites store the password in the cookie. MetaFilter used to, then encrypted it, but now I think it is all session based. Slashdot also used to but I don't believe they have for years.
posted by sbutler at 3:11 PM on January 16, 2011


"Or that login sessions that are valid for the old site remain valid on the new site."

Bingo. Turns out they are, presumably because the two domains are pointing at exactly the same server(s).

I know it works, 'cos I tried it, backwards and forwards between the two sites, using an old session I had in Safari. Works like a charm.

Yours is a general solution; mine works in this specific case.
posted by Pinback at 3:37 PM on January 16, 2011


Thankee kindly, folks.

But an ever-so-nice MeFi allowed me an end run around the problem so I am good to go.
posted by Samizdata at 11:44 AM on January 17, 2011


Here's another approach to seeing what's in an auto-filled password box.
posted by JiBB at 11:54 AM on March 31, 2011


« Older Does McSorley's Old Ale House ...   |  Why can't my Sorel boots play ... Newer »
This thread is closed to new comments.