PWL file contains valuable information like dial-up and network passwords. This is an universal storage for sensitive information. Any program could use PWL files. However Microsoft does not provide technical specification for PWL files and API description (as far as I know), so usually only Microsoft programs use PWL files.

In other words PWL file is a secured database. Each record has three fields:

1. Resource type (0..255)
2. Resource name
3. Resource password

Both resource name and resource password may be binary. Moreover program may interpret these fields as it wants so 'resource name' may be not a name and 'resource password' may be not a password. There is exists a limit of 255 records per single PWL file. All records along with user name and checksum are encrypted with strong cipher algorithm RC4. Encryption key is derived from login password. Windows uses PWL files to verify login password. However login password is not stored in PWL file. Windows decrypts PWL file using specified password and then verify checksum. If checksum is correct then entered password assumed to be valid. So it is possible to get access to PWL file if only both login password and user name are known. If login password is unknown then a search is the only way to get access to PWL file's contents. User name must be known because it is involved into checksum verification. Usually PWL file name is the same as user name. However it is not necessary. PWL file name never exceeds 8 characters. Windows never overwrites PWL files. By default PWL files are located in the Windows directory. Since Windows never overwrites PWL files it's possible that resulting PWL file name will be mangled. For example, if robert.pwl file is already exists then new PWL file for user Robert will have rober000.pwl file name. Next file name is rober001.pwl and so forth.

Both user name and login password are case sensitive for PWL file, however high level Windows functions convert them to uppercase. Nevertheless there is an exception: dial-up network server use rna.pwl file to store connections passwords. User name is *Rna (case sensitive).

Each PWL file must be registered in system. There is [Password Lists] section in system.ini file. Each line in this section looks like this: USERNAME=FullPathToPwlFile

Following resource types are most useful.

6 - this resource type is used by dial-up networking and MS Crypto API. Dial-up networking use PWL as follows. Resource name looks like *Rna\ConnectionName\Username . Resource password is a connection password.

19 - WWW resource (used by Internet Explorer). Resource name has following syntax: DomainName/Page title . Resource password contains login name and password separated by colon. For example John:abc

You can use pwlview program to examine current user's PWL file contents.

The original Windows version contained a gross error which enabled easy extracting of cached passwords (in fact, this is possible for most (but not all) PWL files). Well-known program called glide do this. However original glide.exe uses an imperfect algorithm so it fails often. In the OSR2 version this error has been corrected, although security problems persist (as you can see). Windows '98 does not seem to differ from OSR2 in the sense of security, but Windows NT is built quite differently (click here for NT recovery). About Windows 3.11. Its PWLs are same with original Windows 95.

You should keep in mind that a saved password can be extracted by a malefactor - therefore passwords should only be saved if no unauthorized personnel can access your computer. It has to be mentioned that a PWL file is encrypted and it's not easy to extract passwords from it. The first Windows'95 version encryption algorithm was quite poor, which allowed for a program for PWL files decryption to be created. However, in the OSR2 version this drawback has been fixed - it is now much harder to decrypt a PWL file.

Despite the information which is contained on my site, the password storage system in OSR2 is generally made quite professionally and is reliable from the cryptographer’s point of view. Still, it contains several quite serious drawbacks, namely:

1. All passwords are converted to uppercase, which significantly reduces the quantity of various possible passwords and allows for a higher password search speed. By the way, the low level password engine uses a password ‘as is’, i.e., does not convert it to uppercase – it’s entirely the fault of the high level part. This drawback is aggravated by #2.
2. MD5 and RC4 algorithms are professional and decipher-resistant but fast, which allows to implement a very fast password search.
3. The password caching system is inherently unreliable. If some program is able to get an earlier saved password than any hacker can do the same thing. Microsoft should have explained to its customers that password can be saved only if no unauthorized personnel can access your computer. Yet, it would be inconvenient to abandon saving passwords altogether. The right thing to do would be providing one more working mode for Windows (and make this mode a default one) in which all passwords could be saved but every time they have to be retrieved it took entering one short master password to retrieve them.

Here’s one interesting note. There are export limitations effective in USA on encryption systems with a key more than 40 or 56 bit long (depending on systems’ destination). Windows uses the professional RC4 ciphering algorithm with a 128-bit key (a 128-bit key is obtained by converting a password with an unlimited length). This code is present in all Windows’ versions including the international ones. I’m not a lawyer and I’m not commenting this fact, meanwhile I would be interested in knowing a lawyer’s opinion on this problem.

PWLView will show current username and login password if you run it on a logged-on computer. It also shows all cached passwords (such as dial-up networking passwords).

PwlTool is much more powerful version of PwlView. It able to obtain information from PWL files when logon password is lost. PwlTool uses brute-force attack (fastest!) dictionary search or smart-force technology to recover a password.

MakePWL is an extremely useful tool for administrators who need to pre-configure multiple computers. You can specify password information and MakePWL will create PWL file that can be simply copied to another computers.

Q: Are PWL files safe ?

A: They are safe if only login password is long enough (alphanumerical, at least 8 characters long) AND intruder has no physical access to the computer after logon. If user leaves computer unattended after logon intruder can grab passwords from computer's memory.

Q: How to force Windows do not ask login password at startup ?

A: You can enable silent logon as follows

1. Set empty login password
2. Select "Windows Logon" as the value in the Primary Network Logon box in the Network option in Control Panel.
3. Make sure that user profiles are NOT enabled (using the Passwords option in Control Panel or by setting the related system policy).

Q: Tell me more about passwords

A: There are many various guides how to choose right password. One of them is available here. Here is a well-illustrated guide how to extort secrets from your PC in right way :-)