WARNING!
This is a brief version of http://webdon.com/vitas/pwl.htm page. Visit that page to see latest & full version of this page.

What is a PWL file?

If, while entering a password, you ask Windows to save it, Windows saves a password in a PWL file. PWL files can be found in Windows directory. Their names usually appears as USERNAME.PWL. You should keep in mind that a saved password may be extracted by a malefactor - therefore passwords should only be saved if no unauthorized personnel can access your computer. It has to be mentioned that a PWL file is encrypted and it's not easy to extract passwords from it. The first Windows'95 version encryption algorithm was quite poor, which allowed for a program for PWL files decryption to be created. However, in the OSR2 version this drawback has been fixed - it is now much harder to decrypt a PWL file.

PWL files reliability estimation.

Despite the information, which is contained on my site, the password storage system in OSR2 is generally made quite professionally and is reliable in terms of cryptography. Still, it contains several quite serious drawbacks, namely:

1. All passwords are converted to uppercase, which significantly reduces the quantity of various possible passwords and allows for a higher password search speed. By the way, the low level password engine uses a password æas isÆ, i.e., does not convert it to uppercase û itÆs entirely the fault of the high-level part. This drawback is aggravated by  #2.
2. MD5 and RC4 algorithms are professional and decipher-resistant but fast, which allows implementing a very fast password search. A slower algorithm like DES or RSA should have been used. Considering #1 we see that a reliable Windows password must be at least nine characters long.
3. The password caching system is inherently unreliable. If some program is able to get an earlier saved password than any hacker can do the same thing. Microsoft should have explained to its customers that password can be saved only if no unauthorized personnel can access your computer. Yet, it would be inconvenient to abandon saving passwords altogether. The right thing to do would be providing one more working mode for Windows (and make this mode a default one) in which all passwords could be saved but it took entering one short master password to retrieve them, every time they have to be retrieved.

How to obtain information from PWL files?

The information in a PWL file is encrypted by a user logon password. The logon password itself is not stored anywhere. Therefore getting information out of a PWL file will pose no problem once the logon password is known. If itÆs unknown, the logon password is to be obtained. A password search is the only way to do it.

PWLView

With access to a computer, it will pose no problem to acquire all passwords which had been saved in it. This can be done with a small program pwlview (no longer available). This program was released in a hurry without any documentation (I thought it was kind of self-explanatory). As a result I was simply flooded with hundred questions on this program. PWLView has been distributed quite widely. It is available on different sites under different names. PwlView just shows cached passwords using standard (but undocumented) windows API on a local machine for a current user (the user must be logged in) and no more. PwlTool (even its DEMO version) also provides that function.

The original Windows 95 version (as well as Windows 3.11) contained a gross error, which enabled easy deciphering of PWL files. In the OSR2 version this error has been corrected, although security problems persist (as you can see). Windows '98 does not seem to differ from OSR2 in the sense of security, but Windows NT is built quite differently.