Extract TortoiseSVN saved password

Jus12 picture Jus12 · Oct 7, 2010 · Viewed 97.8k times · Source

Is there any way to extract credentials saved by TortoiseSVN?

Answer

rkagerer picture rkagerer · Jan 25, 2011

Short answer: You can use TortoiseSVN Password Decrypter to easily display your cached credentials, including passwords.

Long answer: Here's how the tool works.

The credentials are saved in subdirectories of %APPDATA%\Subversion\auth\. Listed from this previous answer they are:

  • svn.simple contains credentials for basic authentication (username/password)
  • svn.ssl.server contains SSL server certificates
  • svn.username contains credentials for username-only authentication (no password needed)

The first directory is the one of interest. It appears to contain files with names that look like GUIDs; one for each repository for which you've saved credentials.

The passwords in these files are encrypted by the Windows Data Protection API. The tool above uses sample code from Obviex to interface with this API and perform decryption.

In order for it to work, you must have access to the same Windows user account you were running under when you checkmarked the "Save authentication" checkbox. This is because the Windows Data Protection API uses an encryption key that is tied to your Windows account. If you lose this account (or, I believe, if an administrator resets your password) then you will no longer be able to decrypt the passwords (except perhaps by using brute force / a third party tool). Having a new Windows account with the same username/password (or probably even SID's) is not sufficient.