Password recovery from open applications

Well I had a minor hiccup today when I decided it was ‘password change day’. I duly went around changing the password on all my systems. Then I got back to work. 10 minutes later I turned to my other system and typed in the password.
… It didn’t work …
I smacked my head and said to myself “D’oh”, I need to use the new password. But I couldn’t remember all of it. All I had was a few characters I could remember and the fact that my mail program was checking the mail every few minutes and still working.

First I got the pid of thunderbird…

~% ps -fe | grep thunder
1000     17509     1  0 13:19 ?        00:00:00 /bin/sh /usr/bin/thunderbird
1000     17521 17509  0 13:19 ?        00:00:00 /bin/sh /usr/lib/thunderbird/ /usr/lib/thunderbird/thunderbird-bin
1000     17526 17521  0 13:19 ?        00:00:24 /usr/lib/thunderbird/thunderbird-bin
1000     19101 19006  0 14:09 pts/10   00:00:00 grep thunder

Then I got the address of the heap from the process’ maps

~% grep 'heap' /proc/17526/maps
08d02000-0a9ad000 rw-p 08d02000 00:00 0          [heap]

I compiled up memory_dumper, and ran it against the process and heap addresses listed.

% ./memory_dumper 08d02000 0a46a000 17526 heap

Then I ran strings on the resulting file, looking for the pattern that matched my remembered password

% strings heap | grep t%7

4 copies of the password in memory in the program. That is just in-freaking-sane. It should be present in the program only once, and should probably be concealed using some form of obfuscation. Mind you, it has kept the new password in my mind now, so I should be grateful.

And just in case you feel like trying the password listed, don’t. It’s not the real password 😉