Chrome Saved Passwords - macOS Forensic Artifacts

Overview

Chrome stores saved login credentials in a SQLite database named Login Data within each profile directory. On macOS, password values are encrypted using the same macOS Keychain mechanism as cookies. The database contains plaintext metadata -- origin URLs, usernames, form field names, and usage timestamps -- alongside encrypted password blobs.

This artifact is valuable for identifying which services a user has accounts with, their usernames and email addresses, and how frequently they access each service. The encrypted password values are collected for forensic completeness but are never decrypted by macfor.

File Locations

File	Path
Login Data database	`~/Library/Application Support/Google/Chrome/{Profile}/Login Data`
Journal file	`~/Library/Application Support/Google/Chrome/{Profile}/Login Data-journal`
Account-specific logins	`~/Library/Application Support/Google/Chrome/{Profile}/Login Data For Account`

Database Schema

logins Table

CREATE TABLE logins (
    origin_url VARCHAR NOT NULL,
    action_url VARCHAR,
    username_element VARCHAR,
    username_value VARCHAR,
    password_element VARCHAR,
    password_value BLOB,                    -- Encrypted password
    submit_element VARCHAR,
    signon_realm VARCHAR NOT NULL,
    date_created INTEGER NOT NULL,          -- WebKit timestamp
    blacklisted_by_user INTEGER NOT NULL,
    scheme INTEGER NOT NULL,
    password_type INTEGER,
    times_used INTEGER,
    form_data BLOB,
    display_name VARCHAR,
    icon_url VARCHAR,
    federation_url VARCHAR,
    skip_zero_click INTEGER,
    generation_upload_status INTEGER,
    possible_username_pairs BLOB,
    id INTEGER PRIMARY KEY AUTOINCREMENT,
    date_last_used INTEGER NOT NULL DEFAULT 0,     -- WebKit timestamp
    moving_blocked_for BLOB,
    date_password_modified INTEGER NOT NULL DEFAULT 0, -- WebKit timestamp
    sender_email VARCHAR,
    sender_name VARCHAR,
    date_received INTEGER,
    sharing_notification_displayed INTEGER NOT NULL DEFAULT 0,
    keychain_identifier BLOB DEFAULT '',
    sender_profile_image_url VARCHAR
);

stats Table

Tracks dismissal statistics for password save prompts per domain.

CREATE TABLE stats (
    origin_domain VARCHAR NOT NULL,
    username_value VARCHAR,
    dismissal_count INTEGER,
    update_time INTEGER NOT NULL,          -- WebKit timestamp
    UNIQUE(origin_domain, username_value)
);

Key Fields for Analysis

origin_url: The URL of the page where the password was entered. Identifies which services the user has accounts with.
action_url: The form submission URL. May differ from origin_url if the login form posts to a different endpoint.
username_value: The saved username or email address. This field is in plaintext and reveals account identities.
signon_realm: The authentication realm, typically the origin URL with a trailing slash (e.g., https://example.com/). Used as the primary key for matching credentials to sites.
date_created: When the credential was first saved.
date_last_used: When the credential was last auto-filled. Indicates recent activity on the account.
date_password_modified: When the password was last changed.
times_used: Number of times Chrome auto-filled this credential.
blacklisted_by_user: When set to 1, indicates the user explicitly chose "Never save" for this site.
scheme: The authentication scheme used.
password_value: Encrypted password blob. The presence and size of this field confirms a saved password exists.
federation_url: If present, indicates the credential uses federated login (e.g., "Sign in with Google").

Scheme Values

Value	Name	Description
0	html_form	Standard HTML form-based login
1	basic_auth	HTTP Basic Authentication
2	digest_auth	HTTP Digest Authentication
3	other	Other authentication method

Timestamps

Field	Format	Notes
`date_created`	WebKit	When credential was first saved
`date_last_used`	WebKit	When credential was last auto-filled
`date_password_modified`	WebKit	When password was last changed

Analysis Notes

The username_value field is stored in plaintext and provides immediate identification of user accounts across services.
A blacklisted_by_user = 1 entry means the user visited the login page and actively chose not to save the password. This still confirms the user has an account at that site.
Entries with times_used > 0 and recent date_last_used indicate actively used accounts.
The stats table reveals sites where the user dismissed the password save prompt, which still confirms the user has credentials for those sites.
Entries where federation_url is populated indicate single sign-on (SSO) usage, potentially revealing enterprise identity providers.
Password encryption uses the same Chrome Safe Storage keychain mechanism as cookies (AES-128-CBC, PBKDF2 with 1003 iterations).
The Login Data For Account file may contain additional credentials associated with the Google account used for Chrome sync.

Version Differences

Version	Change
Chrome 80	Baseline schema
Chrome 86+	`date_last_used` column added
Chrome 96+	`date_password_modified` column added
Chrome 110+	Password sharing fields (`sender_email`, `sender_name`, etc.) added
Chrome 120+	`keychain_identifier` column added

macfor dynamically detects available columns and uses defaults for missing ones.

Tool Support

Tool	Capability
macfor	Collects raw database, parses login metadata without decrypting passwords
DB Browser for SQLite	Manual inspection of login metadata
Hindsight	Includes saved password metadata in analysis
ChromePass (NirSoft)	Windows tool for Chrome password recovery