Extract TortoiseSVN saved password

Is there any way to extract credentials saved by TortoiseSVN?


Short answer: You can use TortoiseSVN Password Decrypter to easily display your cached credentials, including passwords.

Long answer: Here's how the tool works.

The credentials are saved in subdirectories of %APPDATA%\Subversion\auth\. Listed from this previous answer they are:

  • svn.simple contains credentials for basic authentication (username/password)
  • svn.ssl.server contains SSL server certificates
  • svn.username contains credentials for username-only authentication (no password needed)

The first directory is the one of interest. It appears to contain files with names that look like GUIDs; one for each repository for which you've saved credentials.

The passwords in these files are encrypted by the Windows Data Protection API. The tool above uses sample code from Obviex to interface with this API and perform decryption.

In order for it to work, you must have access to the same Windows user account you were running under when you checkmarked the "Save authentication" checkbox. This is because the Windows Data Protection API uses an encryption key that is tied to your Windows account. If you lose this account (or, I believe, if an administrator resets your password) then you will no longer be able to decrypt the passwords (except perhaps by using brute force / a third party tool). Having a new Windows account with the same username/password (or probably even SID's) is not sufficient.


Based on the info below it sounds like you could possible decrypt them locally in some fashion...

UPDATE: Definitive answer from TortiseSVN community

When they're sent over the wire encrypted, they're encrypted using a handshake and/or agreed-upon key at the time of connection.

When they're stored/read locally, they're encrypted/decrypted via the Windows Crypto API which uses a key tied to your Windows account.

The locally-encrypted copy can't be decrypted by the server because the keys are local to your account.

So when you connect (let's say via HTTPS), your client gets the credentials decrypted via the appropriate Windows API, then includes them in the HTTPS transmission. HTTPS encrypts the whole communication between client & server using SSL certificates, not just the credentials.