Browser Password Inspector Product Manual
To learn about this product, please read the below tutorial.
What is the Browser Password Inspector?
The Browser Password Inspector is a free tool that checks the computers in your Active Directory for threats related to passwords stored in browsers.
The BPI will connect to each available computer in your AD and will attempt to retrieve any passwords saved in Chrome, Firefox, and new versions of Edge. Any found passwords will be hashed (using NT hash), and the hash will be encrypted and sent to the machine on which BPI is installed. The tool then compares these password hashes against the domain password hashes to determine if there is any match. Then it will compare the same hashes with the ones from a weak password database to check for weak web passwords. The results will be represented as a yes or no value.
The results will display which users are using, and saving, their domain passwords in browsers, the reuse of passwords across multiple websites, and if there are weak passwords saved in browsers. The report will also show the different ways the passwords are being used and the number of times the passwords were stored and used. The results will be grouped by the following browsers: Chrome, Firefox, and new versions of Edge.
Results are presented in two forms:
- On the user interface of the product
- As a PDF report
On the user interface, results are displayed using graphical elements for a quick overview of the most important findings, and a table which presents the details for each domain user who was found to save passwords in browsers.
In the PDF report results related to each individual user will be grouped by the following:
- Number of unique passwords stored and used
- The age of the stored password
- The browser that password is stored in
- The similarity of the passwords used
Is My Information Safe?
Yes. It's important to note that this tool will never display or report the actual passwords of any user accounts in your AD. Passwords within AD are in a hashed format and will never be visible at any point. The test results will simply identify the user accounts which failed the test so you can decide how to correct that.
Additionally, the data pulled from the scanned machines is encrypted. The information obtained during the test is saved in local memory, not to disk. The only information returned to KnowBe4 is a total count of the machines scanned during the test.
BPI deploys software agents to the targeted machines to complete its testing. The agents are installed before the scan and removed after the scan is complete, so they don't remain on the machines.
To run the Browser Password Inspector, the system you use must have the following:
- Windows 7 or higher
- Have at least a 2 core processor
- 2 GB RAM
- Internet connection
Installation and Setup
This test will only work on Windows machines that are connected to the internet.
- Sign up for your Browser Password Inspector by navigating to the Browser Password Inspector home page.
- Upon signing up, we will email you a unique License Key, which you'll need to enter prior to running the test.
- Download and run the installer file for the Browser Password Inspector.
- Review and agree to the License Agreement and then click Install to complete the installation.
- Launch Browser Password Inspector. Click Yes if prompted to allow it to run.
- Enter your unique License Key and click OK.
- Next, you'll need to enter your Active Directory Details and your Domain Admin Credentials.
- Select or search for the computers that you want to run this test on, and click Start Test.
- The test will analyze your Active Directory account for any passwords stored on browsers.
- Your results will be displayed on-screen as soon as the test is complete.
Types of Failures
The Browser Password Inspector analyzes your data to look for the following failure types which can leave your organization vulnerable to attack:
1) Vulnerable Accounts
The accounts in this category have an Active Directory password that matches at least one web password saved in a browser by the user.
2) Accounts Using Weak Passwords
The accounts in this category have a user saving, and using, weak passwords that are currently present in different databases publicly available on the Internet.
3) Accounts Reusing Passwords
The accounts in this category have a user that is using the same password to log on to different websites.
Analyzing Your Results
The results of the Browser Password Inspector will show you the number of accounts that are using and saving passwords in their browsers. You will see a pie chart that will compare the different types of password failure types.
Each of your AD accounts will be listed and a checkmark that indicates the specific failures that were found on that particular account. You can click each of the failures on the left to filter the results to only show the accounts which have that failure type. You can also search for a specific account by entering characters into the search box.
You can view your results on-screen instantly, or you can export the results as an Excel Spreadsheet or PDF file. If you plan on rerunning the test, make sure you save your results first.
- Filter your results.
- Search for specific accounts.
- The information in the columns will tell you the account name, how many passwords were found in browsers, the computers these passwords were found on, and the date of the oldest saved password.
- Export your results.
- Click to rerun the test.
- View details. This will show you information on the computers that were scanned, whether the scan was successful, whether the user was logged in, the start time of the scan, the duration of the scan, and the last error message.