Many people spend a lot of their time during the day chatting online with friends. It can be a fun way to pass some time and catch up with what your friends are doing, but is it secure?

Last week we demonstrated why you shouldn’t store your password in a Web browser without using a master password. Otherwise it is very easy for anyone to gain access to all of your passwords by spending just a few seconds on your computer. Instant Messengers are the exact same way!

One of the tools that we used to “recover” our Internet Explorer stored passwords was called IE PassView, and there is an application by the same company called MessenPass (Download Mirror) that will retrieve all stored passwords for instant messenger applications. I was a little reluctant at first as to how well this would work, but I quickly found out that it was for real:


All I did was download and run the 44KB application (no installation necessary) to have it reveal my password for Pidgin. That means anyone could have put this program on their USB drive and retrieve my passwords by running the program on my PC. Then, to make it even easier, they can store the passwords as an HTML file so that they don’t have to write anything down.

Oh, and the odds are very good that your messenger is not free from such an attack considering MessenPass works with almost all of them:

  • MSN Messenger
  • Windows Messenger (In Windows XP)
  • Windows Live Messenger (In Windows XP And Vista)
  • Yahoo Messenger (Versions 5.x and 6.x)
  • Google Talk
  • ICQ Lite 4.x/5.x/2003
  • AOL Instant Messenger (only older versions, the password in newer versions of AIM cannot be recovered)
  • AOL Instant Messenger/Netscape 7
  • Trillian
  • Miranda
  • GAIM/Pidgin

Think about if someone got their hands on your messenger password. That would mean that they could access your email as well, and the odds are probably very high that your messenger password is the same as what you use with online banking. As you can see the result can be pretty devastating.

So how can you get around such an attack? The program can only retrieve passwords from the messenger applications if you use the “Remember my Password” option when logging in. If you don’t have the messenger remember the password a hacker would not be able to retrieve it.

Also, MessenPass can only work for the user who is currently logged in. That means when you walk away from the computer you should logout of it if there is any chance that someone else might use it.

The moral of the story is to keep your passwords safe by not storing them on the computer. That’s what your head is for! Oh, and putting your password on your monitor with a sticky note is not any better. :)

MessenPass Homepage (Download Mirror)