iMessage, Hangouts, Skype, Telegram, Signal, WhatsApp are familiar, while PalTalk, Pigin, Psi Jabber client, Gadu-Gadu, Gajim, Trillian, BigAnt or Brosix are relatively little known. The tools from the first group are not only more popular but infinitely more secure compared to the tools from the second group. In this publication we’ll review the authentication methods used by the various instant messengers, and attempt to extract a password to the user’s account.

Do instant messengers store passwords?

Many modern instant messengers gave up using passwords for authentication purposes, let alone store them on the user’s device. How does authentication work in that case, and what do they use instead?

WhatsApp does not use passwords. Instead, the user is authenticated and a new device authorized based on the user’s phone number. Notably, authorizing a new phone with WhatsApp de-authorizes the previously used one. This is exactly what happens when experts use forensic tools to access WhatsApp data, and there is currently no known workaround to prevent such behavior. Users can opt to use a PIN as a second authentication factor, yet such PIN codes are only verified on the server and are never stored (even in a hashed form) on the user’s device.

Telegram uses a somewhat similar authentication method. The original link is established based on the user’s phone number, but the user may optionally set up two-factor authentication with a password. Here, the password is the second authentication factor, while the initial authentication step is a single-use code delivered as an instant message to one of the already authenticated devices or as a text message to the user’s phone number. Quite obviously, the password is verified on the server, and never stored (even in a hashed form) on the user’s device. Unlike WhatsApp, Telegram allows multiple linked devices, so authorizing a new device does not de-authorize any previously used ones. Newly authenticated devices receive full access to the user’s past communication history (except private chats). In addition to the password protecting the user’s Telegram account, the Telegram app installed on a device can be also protected with a passcode. This is a separate setting unrelated to account protection.

In both cases, even if the password is used, it’s never stored on the device, not even as a hash. Therefore, extracting or brute-forcing a WhatsApp PIN or Telegram password is out of the question unless the user keeps them elsewhere (e.g. in iOS Keychain or Web browser).

Skype is a whole new animal. Once an independent instant messenger, Skype is now owned by Microsoft, who pushed Skype logins under the umbrella of Microsoft Account services. Windows 8 and Windows 10 users who sign in to their computers with a Microsoft Account (as opposed to using a standalone login and password) enjoy fully a automatic sign in experience when they launch Skype on their computer.

While Skype does use the login and password authentication, it does not store the password on the computer. However, Windows does – if you use the same Microsoft Account to log into Windows! This fact enables the following possibilities:

• Break Microsoft Account password, if one is used to sign into Windows. This approach won’t work if the user has a local Windows account (and not Microsoft Account). If, however, they do use Microsoft Account credentials to sign in to Windows, the password can be attacked with a high-speed, hardware-accelerated attack that runs on local hardware. Once recovered, the password can be used to access OneDrive data, Skype conversations, and even passwords stored in Microsoft Edge. More information in Analyzing Microsoft Timeline, OneDrive and Personal Vault Files | ElcomSoft blog.To run an attack on the user’s login credentials, one can use Elcomsoft System Recovery to extract password hashes, which can then be attacked with Distributed Password Recovery. The potential roadblocks may include BitLocker encryption and two-factor authentication, which may be requested by Microsoft when attempting to sign in from a new device even if the user never enabled two-factor authentication for their account.

• The password can be also extracted from iOS keychain with Elcomsoft Phone Breaker if the user has an iOS device. You’ll be looking for records containing one of Microsoft-owned domains such as hotmail.com, live.com, outlook.com, microsoft.com, office.com and a few others.
• The password can be also extracted from the user’s Google account with Elcomsoft Cloud Explorer. This only works if the user stored the password on their Android device or the Chrome browser. You will require the Google Account password to extract that data.
• If you have access to a live computer with authenticated user session, you may be able to extract said password from the local Web browser (e.g. Edge, Chrome, Firefox etc.) with Elcomsoft Internet Password Breaker.

• Last but not least, you may be able to transfer the user’s authenticated Skype session from their computer to a different PC, with full access to past conversation histories. The transfer can be performed using Advanced IM Password Recovery.

What about Signal? The PC version of this secure instant messenger does not use a password (and thus does not store it). In order to initialize a new instance of Signal, the user must perform an interactive pairing procedure using their smartphone and the previously authenticated Signal instance. The newly initialized Signal instance does not receive access to past conversations, making such pairing rather pointless from the forensic point of view. The only way to extract Signal conversations from an iPhone is via low-level extraction as shown in this article.

Instant password extraction

Most popular instant messengers are secure, and most of them are neither using nor storing passwords on the computer. However, a great number of communication tools do! The list goes on and on: ICQ and ICQLite, AOL Instant Messenger, AIM Triton, AIM Pro, Yahoo! Messenger, MSN Messenger, Windows Live Messenger, Google Talk, Trillian и Trillian Astra, Odigo, Jabber IM, Miranda, Tencent QQ, Ipswitch Instant Messenger, Psi Jabber client, QIP Infium, Gizmo Project, MySpace IM, Exodus, Gadu-Gadu, Mail.Ru Agent, Just Another Jabber Client, Pidgin and a lot more apps listed on this page either keep a copy of the original password on the computer, or store a password hash that can be transferred to another computer. We’ve also added PalTalk, Pigin, Psi Jabber client, Gadu-Gadu, Gajim, Trillian, BigAnt, and Brosix to the list of IMs we can extract passwords from.

For any app from this list, you can use Advanced IM Password Recovery to extract the login and password. If the password is not stored, you will be able to extract the stored authentication credentials (everything required to log in, including the password hash or authentication token), and transfer the “authenticated session” to another computer.

Additional information

If you are looking for more information about instant messengers, check out Forensic guide to iMessage, WhatsApp, Telegram, Signal and Skype data acquisition in our blog to learn about the extraction of IM data from iOS devices and cloud services.