I found the answer. IE stores passwords in two different locations based on the password type:
- Http-Auth:
%APPDATA%\Microsoft\Credentials, in encrypted files - Form-based:
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\IntelliForms\Storage2, encrypted with the url
From a very good page on NirSoft.com:
Starting from version 7.0 of Internet Explorer, Microsoft completely changed the way that passwords are saved. In previous versions (4.0 – 6.0), all passwords were saved in a special location in the Registry known as the “Protected Storage”. In version 7.0 of Internet Explorer, passwords are saved in different locations, depending on the type of password. Each type of passwords has some limitations in password recovery:
- AutoComplete Passwords: These passwords are saved in the following location in the Registry:
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\IntelliForms\Storage2The passwords are encrypted with the URL of the Web sites that asked for the passwords, and thus they can only be recovered if the URLs are stored in the history file. If you clear the history file, IE PassView won’t be able to recover the passwords until you visit again the Web sites that asked for the passwords. Alternatively, you can add a list of URLs of Web sites that requires user name/password into the Web sites file (see below). - HTTP Authentication Passwords: These passwords are stored in the Credentials file under
Documents and Settings\Application Data\Microsoft\Credentials, together with login passwords of LAN computers and other passwords. Due to security limitations, IE PassView can recover these passwords only if you have administrator rights.
In my particular case it answers the question of where; and I decided that I don’t want to duplicate that. I’ll continue to use CredRead/CredWrite, where the user can manage their passwords from within an established UI system in Windows.