Skype Password Recovery

Back in the old days when we only just started up we had no direction on where we should be going and what we should do. We had no analysis tools to find out what recovery tools are in demand and we had no research info on what recovery was possible.

Over a year ago we bought a skype password domain in the hope that we would develop and upload Skype Password Recovery tool to the site. This was a very careless move. Little did we know that… Skype produces a hash of the user password and uses that hash to authenticate/store the login info locally (hash is transferred over the secure channel to authenticate).

As Fabrice Desclaux and Kostya Kortchinsky tell us in their paper, Skype uses MD5 hash of “username\nskyper\npassword” to authenticate. The same hash is stored in the config.xml file (C:—Documents and settings— Windows Username — Application data — Skype — SkypeUsername — config.xml). In fact, this MD5 hash is then encrypted using AES and SHA-1 before being stored in the config.xml.

Skype Encryption Scheme

To put what the above means in simple words, there is no 100% guaranteed algorithm to decrypt Skype password. Bruteforce and dictionary attacks are the only methods. Both of them are timely and only have the potential with the password of up to 8 characters.

Update: some vendors have started to offer the bruteforce program to crack Skype passwords. But what these vendors don’t say is that it will take 16 months to decode a 6 character password on a very good machine. If we take into account the Moore’s law it is clear that even with the new processors coming out, in two years time you will be able to decode the same 6 character password twice as fast which means in 8 months!
Very often users set their passwords to anything longer than 7 characters so this program is useless in cases when the password is 7 characters or longer.

Clearly, for any Skyper even 8 months is not an option.
Thus, we have decided not to develop any Skype password decoders based on bruteforce algorithms.

Related links:


Reference:

7 Responses to “Skype Password Recovery”

  1. Hagrinas says:

    There are still some tools that could be produced easily to assist users in password recovery.

    Skype has a web page for password recovery. It simply asks for the user name and email address. It’s obvious that the person has the user name, or there’s nothing to recover. But the user might not have the email address, and that’s a common problem.

    Skype stores the email address that was used when the user registered. It’s in %app data%\skype\skypeusername\profilennnn.dbb. The skype user name would have to be plugged in, and I don’t know how to figure out the number, except there’s only one dbb file in that directory with a name starting with profile.

    Searching that file for the email address, which is preceded by an @ sign and followed by x00. Of course, a person could find the file manually, open it with a text editor, and read it, but a tool would be almost trivial to write.

    Once the user has the email address, assuming it’s valid and the email goes to the user, recovery is trivial.

    The other thing is MD5 encoding. From what I read on this website. it should be trivial to write something to encode the password and end up with something that matches what is stored locally. Users often have an idea of what they might have used, such as words, letters, or numbers that they typically use. A user might be able to make a list of a dozen or so possible passwords, and a program could tell easily when they had a match.

    Alternatively, rather than generating random passwords and using brute force, a user could supply parameters. If my name is John Smith and I work for Acme, have three children whose ages I sometimes use in passwords, and whose wife’s name is Agnes, I might want to be able to supply a dozen keywords, such as my name, kids names, etc. A program could try various combinations in different orders, with and without embedded numbers. I might know that I typically use numbers at the end, or that I want to limit numbers to 1 or 2 digits.

    In a nutshell, a user might be able to come up with enough keywords and parameters to enable a relatively simple algorithm to find the password in less than a few seconds.

  2. Hagrinas says:

    Sorry, I didn’t see the AES and SHA-1 part. It wouldn’t be trivial. But it would still be helpful for users who don’t remember what email address they used to have something along the lines of the first part.

  3. George says:

    Sorry,
    but is it possible to get somewhere a “bruteforce” comparison program?

    I mean something that will get some valid input data like the password (and may be sth else), and produce the same hash?

    I have actually lost my *own* password, so I have a very few variants to check, but there is some delay in Skype’s server response that makes this painful.

  4. Eugene says:

    I am not aware of any bruteforce hacking program for Skype. Unfortunately, the encoding algorithm is unique and hence universal MD5 bruteforce or rainbow table programs will not work.

  5. David Balažic says:

    Hi!

    I myself have forgotten my Skype password. The following trick allowed me to set up Skype on another PC fir the same account:

    Condition is that Skype is set up to remember the password and autologin to the account.
    Copy the Skype config files from %appdata%\skype to another PC, that PC will accept it and also autologin to the skype account.

    Note: I did this once last year and it worked. These days I tried it again, but the login does not work on the target PC. After a few seconds it asks for the password. Maybe the newer (v3.8) version of Skype has a change that prevents this from working. I don’t know. It is worth a try though, if you have forgotten the password, can not recover it, have autologin and want to use Skype on another PC.

    Regards,
    David

  6. LiquidStorm says:

    2 David Balažic:
    Copying profile does not allow to login skype on another computer, skype will ask for password anyway. Seems it stores some machine-id things in profile or anywhere on source machine that\’s why on target machine it can detect the machine change.

  7. rower says:

    for quite a long time Skype allowed to register accounts without any email registred. now i’ve run into the same problem – my long-ago-registred skype account with autologon setup has been lost (due to simple fact, that machine with that skype account died). probably i’ll be able to recover some data, however, the chances of recovering skype profiles are quite small. i would rather have at least “dictionary attack” on my skype account, as i might supply quite a lot of variants (a couple of hundreds) for accounts password. entering them by hand, one by one is such a pain… and, taking into account that most of them are variations like +