Comments on: Skype Password Recovery

By: David Balažic

David Balažic — Wed, 22 Oct 2008 07:04:10 +0000

Hi!

I myself have forgotten my Skype password. The following trick allowed me to set up Skype on another PC fir the same account:

Condition is that Skype is set up to remember the password and autologin to the account.
Copy the Skype config files from %appdata%\skype to another PC, that PC will accept it and also autologin to the skype account.

Note: I did this once last year and it worked. These days I tried it again, but the login does not work on the target PC. After a few seconds it asks for the password. Maybe the newer (v3.8) version of Skype has a change that prevents this from working. I don’t know. It is worth a try though, if you have forgotten the password, can not recover it, have autologin and want to use Skype on another PC.

Regards,
David

By: Eugene

Eugene — Mon, 13 Oct 2008 19:59:56 +0000

I am not aware of any bruteforce hacking program for Skype. Unfortunately, the encoding algorithm is unique and hence universal MD5 bruteforce or rainbow table programs will not work.

By: George

George — Sun, 12 Oct 2008 21:01:40 +0000

Sorry,
but is it possible to get somewhere a “bruteforce” comparison program?

I mean something that will get some valid input data like the password (and may be sth else), and produce the same hash?

I have actually lost my *own* password, so I have a very few variants to check, but there is some delay in Skype’s server response that makes this painful.

By: Hagrinas

Hagrinas — Sun, 22 Jun 2008 22:40:46 +0000

Sorry, I didn’t see the AES and SHA-1 part. It wouldn’t be trivial. But it would still be helpful for users who don’t remember what email address they used to have something along the lines of the first part.

By: Hagrinas

Hagrinas — Sun, 22 Jun 2008 22:30:22 +0000

There are still some tools that could be produced easily to assist users in password recovery.

Skype has a web page for password recovery. It simply asks for the user name and email address. It’s obvious that the person has the user name, or there’s nothing to recover. But the user might not have the email address, and that’s a common problem.

Skype stores the email address that was used when the user registered. It’s in %app data%\skype\skypeusername\profilennnn.dbb. The skype user name would have to be plugged in, and I don’t know how to figure out the number, except there’s only one dbb file in that directory with a name starting with profile.

Searching that file for the email address, which is preceded by an @ sign and followed by x00. Of course, a person could find the file manually, open it with a text editor, and read it, but a tool would be almost trivial to write.

Once the user has the email address, assuming it’s valid and the email goes to the user, recovery is trivial.

The other thing is MD5 encoding. From what I read on this website. it should be trivial to write something to encode the password and end up with something that matches what is stored locally. Users often have an idea of what they might have used, such as words, letters, or numbers that they typically use. A user might be able to make a list of a dozen or so possible passwords, and a program could tell easily when they had a match.

Alternatively, rather than generating random passwords and using brute force, a user could supply parameters. If my name is John Smith and I work for Acme, have three children whose ages I sometimes use in passwords, and whose wife’s name is Agnes, I might want to be able to supply a dozen keywords, such as my name, kids names, etc. A program could try various combinations in different orders, with and without embedded numbers. I might know that I typically use numbers at the end, or that I want to limit numbers to 1 or 2 digits.

In a nutshell, a user might be able to come up with enough keywords and parameters to enable a relatively simple algorithm to find the password in less than a few seconds.