| MadSci Network: Computer Science |
I'll address this question in two different ways, because I'm not sure which way it was intending to be read: (1) As the "attacker" trying to get the password, or (2) As the "defender" worried whether such an attack is feasible. The short answer for those in a hurry - it's possible to exploit technical knowledge of the program to get the password, but almost always, there are easier and quicker ways to do it. As a result, much of this answer will deal with how attackers really get passwords in today's computer environment.
There's one special case that does deserve mention first - if somebody else has already done all the hard work and written a "can opener" program to do the password recovery. For instance, Excel spreadsheets can have a password, but it's notoriously insecure and it's easy to find programs to do the recovery for you - hitting Google for "recover excel spreadsheet password" will get you some 80,000 or so hits.....
From the attacker's perspective: Yes, it's possible, and is a sub-category of a field called "reverse engineering". However, it usually requires quite a bit of skill and resources to do.
Most reverse engineering consists of setting up a "sandbox" for the program, including a debugger, and then running the program (often single-stepping) in order to figure out what it's doing. This is rarely a useful way to capture a password - if you have enough access to the machine that you can run the program in a sandbox, you're probably the system administrator and don't need the password. Similarly, "deeply analysing" the program is often difficult, because the people who wrote the program expected you to do this, and added counter-checks to make it difficult (for instance, the authors of the Agobot worm added in checks for single-step debuggers, the VMWare sandboxing software, the SoftICE and other Windows debuggers, and refuse to run if those were detected - all of which made life difficult for the anti-virus and security professionals trying to decipher its code).
This level of effort is often useful if you are trying to break a piece of software so that all passwords are recoverable, or similar result - if the effort will gain you possibly thousands or millions of userids, it's worth doing.
All the same, it's usually enough effort that there's usually better, easier ways to get the password for just one userid. Just because you can't find a way to get the software to reveal the password doesn't mean there aren't ways to bypass the software entirely and get the password via other means.
It's the rare computer system that has no holes and can't be exploited at all. As a result, the most common way to get a password is by the use of a Trojan Horse program to deliver a keystroke logger, and just wait for the victim to type their password. However, If that fails, the determined attacker will resort to social engineering or phishing (including bribery), or possibly even what Marcus Ranum calls "rubber hose cryptography" (basically, extracting the needed information from the person by taking them into a room, and beating them with a rubber hose until the information is obtained - variants of this are routinely practiced by many major governments and other organized crime syndicates).
Often you can find the password written down on a note taped to the monitor or left under the keyboard or other obvious place. Or just guess the password - an amazing number of people will use their spouses/childrens/pets name as their password. Last academic year, I set up a highly secure system for a graduate-school class as a target for a tiger team and capture the flag attack - and one member of one team was able to guess another team's password on the third try (and thus evading my logging that only started after 3 bad tries) knowing only that the person who set it had set it to "something more than 15 or 20 characters", and being familiar with that person's interests and social life. However, i cite that as the single most extraordinary password guess I've encountered in literally a quarter century of doing computer security - and also involved the victim's choosing a very obvious passphrase (it was indeed over 20 characters, but a very easily guessed phrase).
If you're the defender worried about such an attack, there are a number of things you can do to greatly reduce the risks (most of which are just knowing that the attackers will try the things I just mentioned, and taking precautions to stop those attacks):
Bruce Schneier has written a number of books on computer security - I recommend his "Secrets and Lies" as a good introductory book on security issues. It has much more information that explains why many security specialists don't even see the type of attack you ask about as a very high risk.
(Many thanks to the fine people at Wikipedia - I've referenced many of their articles here, most of which have numerous helpful pointers to other related information).
Try the links in the MadSci Library for more information on Computer Science.