Forgotten Password Retrievable from Cookies?

[Martin109]

I have a colleague whose forgotten a password.  Is it possible to retrieve a password from the relevant cookie?

[Greenbank]

No (unless the website is amazingly badly designed), cookies and passwords are completely different things.

[ian]

Most browsers also feature a password manager that can be queried (if, of course, you use it to save passwords).

[Martin109]

It's apparently for a Gmail email account.

I guess she'll just have to renew the password.

[Pickled Onion]

There is usually a link on web sites for when a password has been forgotten.

Unfortunately, this is a home-brew website and the designer of it has disappeared.
Fortunately, said colleague has found the lost password.

[Martin109]

Thanks, PO, for your help!

[drossall]

Design for this in advance.

For Web site management and similar, ideally have two administrator accounts held by different people. Or, if unavoidable, have two different people hold the administrator password. These people should be unrelated and unlikely to leave at the same time.

For personal accounts, set up the recovery addresses and other measures in case of lost passwords. Choose recovery email addresses that are unlikely to change (as far as feasible).

Obviously, passwords in a password manager, and make sure that its file is stored somewhere secure.

Cookies generally hold no information of interest, as said up-thread. They don't need to. All they need hold is a unique identifier of you, or of your session on the service, that is otherwise meaningless. The real information is stored on the service's computers; the code in the cookie is just used to look it up. Even the service won't have your password though, unless it's really badly designed. Your password isn't stored anywhere. Instead, your password is encrypted, and the result is stored. When you sign in, the password that you submit is also encrypted, and the result is compared with the stored one. So, even breaking into the system, an attacker should not be able to get your password, unless that attacker can reverse the encryption.

[Phil W]

And I bet she did remember the password but was in a sod you mood at the time. But also a good example if a company that didn’t have a succession plan for when staff move on.

[Kim]

... two different people hold the administrator password.

That is good advice. It reminds me of similar but not web-based situation when I was doing IT support for a high tech. company that was very security conscious; everything had passwords. The engineering department had a contractor who applied for a permanent post that came up - the one they had been filling for the last 18 months. Everyone liked the contractor and expected her to get the job but the boss had someone else in mind so she didn't. On the Monday after she finished no one could open up the spreadsheet that contained all her work because no one knew the password. When telephoned she said she could not remember it either, so the company lost 18 months' work - all because only one person knew the password.

And somewhat less dramatically, in every grassroots non-profit organisation ever, you tend to end up with The Person Who Knows Computers sorting out all the webby stuff.  All is well, until they then suffer from an outbreak of real life commitments; illness; flounce; get run over by a bus; or vanish into an autistic failure-to-communicate black hole.  Bonus points for things being tied to people's personal email etc. accounts.

[Kim]

And I bet she did remember the password but was in a sod you mood at the time.

Forgetting a password, unlike actively deleting data, isn't an offence under the Computer Misuse Act.  (Let's not go into RIPA.)

[drossall]

And somewhat less dramatically, in every grassroots non-profit organisation ever, you tend to end up with The Person Who Knows Computers sorting out all the webby stuff.  All is well, until they then suffer from an outbreak of real life commitments; illness; flounce; get run over by a bus; or vanish into an autistic failure-to-communicate black hole.  Bonus points for things being tied to people's personal email etc. accounts.

My last two roles have involved, as a minor side-line, sorting out what happens when volunteers move on from local branches of national organisations, and no-one knows as a result how to get access. Sometimes, the former volunteer will own both the domain registration and the Web provider account...

[T42]

Maybe a fortune cookie?

IGMC

[Asterix, the former Gaul.]

... two different people hold the administrator password.

That is good advice. It reminds me of similar but not web-based situation when I was doing IT support for a high tech. company that was very security conscious; everything had passwords. The engineering department had a contractor who applied for a permanent post that came up - the one they had been filling for the last 18 months. Everyone liked the contractor and expected her to get the job but the boss had someone else in mind so she didn't. On the Monday after she finished no one could open up the spreadsheet that contained all her work because no one knew the password. When telephoned she said she could not remember it either, so the company lost 18 months' work - all because only one person knew the password.

And somewhat less dramatically, in every grassroots non-profit organisation ever, you tend to end up with The Person Who Knows Computers sorting out all the webby stuff.  All is well, until they then suffer from an outbreak of real life commitments; illness; flounce; get run over by a bus; or vanish into an autistic failure-to-communicate black hole.  Bonus points for things being tied to people's personal email etc. accounts.

We'd a few when redundancies were being.  They'll never be able to get rid of so-and-so we said.  But hey, they came through the one-way door with the rest of us and life went on.   

[Afasoas]

nirsoft provides a tool that can dump saved passwords out of browsers. Not sure that it remains as effective as it was, but I had to replace a relative's laptop and he didn't know any of his passwords. I was able to get all of the saved passwords out of Chrome. Sadly, couldn't quite talk him into using Keepass.