39

My friend uses Firefox's built-in password manager feature to save passwords for sites. Later, after installing Avast Free Antivirus there was a feature called Passwords on the Avast UI. When accessed it read all the stored passwords from Firefox and gave this report.

This clearly shows that passwords were read and compared by a third party tool (Avast). How does Firefox save the passwords? Is it a bug which is being exploited by Avast? enter image description here

cat
  • 113
  • 1
  • 5
RamValli
  • 491
  • 4
  • 7

4 Answers4

53

Passwords saved by Firefox are not encrypted (they are encrypted but the key can be read out) until you set a master password. I don't think that this is a bug, but every virus could read those passwords nonetheless

RoiEX
  • 561
  • 1
  • 3
  • 6
  • 3
    This makes sense, but is contradicted by their support documentation: "[Even though the Password Manager stores your usernames and passwords on your hard drive in an encrypted format, someone with access to your computer can still see or use them.](https://support.mozilla.org/en-US/kb/password-manager-remember-delete-change-and-import?redirectlocale=en-US&redirectslug=Remembering+passwords#firefox:win7:fx45)" – Dave Apr 14 '16 at 22:20
  • 2
    @Dave using a master password makes the passwords unreadable for other programs... I saw a video about that some time ago, showing that using a master password is safe – RoiEX Apr 14 '16 at 22:36
  • 16
    @Dave It makes no practical difference whether they're unencrypted, or encrypted with a blank key. Consider that Firefox has to be able to decrypt them, then malware can just copy whatever Firefox does. – user253751 Apr 15 '16 at 06:52
  • 14
    I will remind everyone here of the first rule of StackExchange: Be Nice. – AviD Apr 15 '16 at 08:50
  • 6
    Basically, the keys are encrypted in the file "logins.json" - however, as long as you don't use a master key, the password to decrypt everything is stored in "key3.db". At least they could have used the Windows built-in encryption. That would prevent someone from restoring my Firefox Profile from an old harddisk to get all my passwords. –  Apr 15 '16 at 14:49
  • 2
    At least when data is encrypted (with a known key), you can't accidentally see it on a terminal with a `grep **/*(.)` or something like that. – curiousguy Apr 15 '16 at 21:05
  • 3
    @DanielGilbert Relying on *Windows* built-in encryption would of course be platform-dependant – Hagen von Eitzen Apr 16 '16 at 08:42
  • @HagenvonEitzen That's true - but then again, Firefox already has OS-specific builds, and has OS-specific functionality included. In fact, using Windows file encryption is really just calling EncryptFile() in the Win32 API after creation - that's it. It only prevents from reading password-files from different accounts or on a stolen harddisk, though... –  Apr 18 '16 at 13:00
  • @immibis I didn't realize they used a blank/accessible key to encrypt them... I didn't word it well but my comment was just seeking clarification on the original answer wording vs. Firefox documentation. This makes perfect sense now, thanks! – Dave Apr 19 '16 at 16:49
21

Firefox can decrypt the passwords without you entering a password. That means it must have the decryption key--which means any program that knows how Firefox stores things can find them. This applies to any program that stores information on your system. Encryption is only a strong defense if you have to provide the decryption key before accessing the stored data. (Note that this is accomplished by using the supplied password as the decryption key--no password, no decryption, no access to the encrypted data. This inherently means there's no recovery of the password other than by external storage somewhere.)

Encrypting the passwords stops someone from using Notepad to read your passwords, it does not stop a serious attempt to find them.

Loren Pechtel
  • 763
  • 4
  • 9
  • 6
    You could point out that Firefox allows to set a master password to avoid exactly this problem... – Bakuriu Apr 15 '16 at 07:26
  • 4
    @Bakuriu: Master passwords are barely any protection at all. Malware can wait until you just type them in… – Ry- Apr 15 '16 at 08:38
  • 6
    @RyanO'Hara Malware is just one type of security issue. Having a master password can offer protection against other security breaches e.g. theft/loss of your hard drive. – Jon Bentley Apr 15 '16 at 13:24
  • 2
    With a master Password viruses can't read existing passwords – RoiEX Apr 15 '16 at 14:53
  • 3
    @RoiEX I think you meant a virus can't read existing passwords, until the user types in the Master Password – Patrick M Apr 15 '16 at 19:37
  • No actually not, but you are right this could happen - didn't thought abiut this scenario – RoiEX Apr 15 '16 at 19:39
  • 1
    @RyanO'Hara: if you have malware running on your system, you're already screwed whatever you do. Why do you think that malware that have sufficient privilege to install a key logger can't read off your password from DPAPI or HSM? – Lie Ryan Apr 16 '16 at 01:42
  • @LieRyan Never said it couldn't. Said rather the opposite, in fact. – Ry- Jun 29 '16 at 10:08
  • Isolation of individual apps and their data storage, as on modern operating systems like Android and iOS, would prevent this as well. – caw Aug 18 '19 at 19:21
11

How does Firefox save the passwords?

Previous answers have already presented the general idea, but a more in-depth explanation can be provided.

Firefox stores all user information in the profile folder. On Windows, it's located under %APPDATA%\Mozilla\Firefox\Profiles\; and on Linux, ~/.mozilla/firefox/.
The profile folder is created the first time Firefox is started for the current user, and typically has a cryptic name, like y7ogrp85.default in my case. This name is meant to be unique.

Since version 32 of Firefox, two files residing under the profile folder are responsible for managing saved passwords inside the browser. They are: logins.json and key3.db.

The first file, logins.json, contains actual information such as a list of usernames, passwords, domain names etc. It also lists the websites for which you opted NOT to save a password. However, these are encrypted. You can check for yourself.

The second file, key3.db, holds the key to decrypt the sensitive information found on the previous file, such as usernames and passwords.

Now, this implementation is not a secret (after all, Firefox is open source), and anyone can develop their own means to get someone's passwords by reading these files. In fact, it's been done already. I know of a tool by Nirsoft called PasswordFox for that.

There is one possible caveat, and it's the possibility of the user having implemented a master password within Firefox; this will encrypt the key3.db file itself. But there are means around that too, by brute-forcing the file with utilities made for that purpose, like John the Ripper and others.

Is it a bug which is being exploited by Avast?

Nope, not a bug. It's just the way the browser has been designed (not from scratch though - it's evolved a lot since the first versions). I believe it's reasonably convenient and secure. As long as:

  • Your system isn't compromised;
  • Nobody you don't trust has physical access to your computer, or even yet, unrestricted access to your files / your user account;
  • Your files are protected by Full Disk Encryption, in case your PC is stolen,

you should be fine. In any case I do recommend setting a strong master password or even better, switching to a dedicated password manager such as KeepassXC.


(I'm not personally connected with Nirsoft, Firefox or KeepassXC. I'm just a user.)

Marc.2377
  • 594
  • 3
  • 10
0

Unfortunately, if everything required to get your site password is stored on your computer then it is potentially vulnerable to malware. The only way to avoid this is to have user input (in some form). It is basically a trade-off between convenience and safety.

If you don't have a password manager you trust and are willing to put some effort into generating site-unique passwords (which is better than using one password for everything or writing them all down or trying to remember them all), I suggest using passwords which involve the encryption of the site name via something like the Playfair cipher (https://en.wikipedia.org/wiki/Playfair_cipher). This is simple enough that you can do it by hand (e.g. when you are not at your own computer) or can be easily programmed (as a separate application that needs youto input the key). If you need to increase the strength, repeat the result or add prefixes or suffixes. Obviously don't just auto-generate these site-unique passwords, or get your browser to remember them.

John Denniston
  • 9
  • 3
  • 2
    Playfair cipher is considered like a toy in modern cryptography. It's too weak to be of any serious use. – Lie Ryan Apr 16 '16 at 01:57
  • 1
    Not only `stored on your computer`, but **potentially** also stored anywhere that your computer has access to. Network storage, internet storage... in a real sense, a networking connection can be viewed as an "extended bus" connection. It's all just signals over wires in essence. Access something via mouse or keyboard clicks, and some programming can also access it. – user2338816 Apr 16 '16 at 06:35
  • @Lie Ryan. You are correct, Playfair is trivial to crack with computers. But I am not suggesting it is used to encipher text. Instead I suggest using it for the generation of part of a site-unique password if you don't or can't trust a password manager. Think of it as manually-generated and human-recoverable obfuscation. It has to be an improvement to trying to come up with (and remember) many unique site passwords. – John Denniston Apr 18 '16 at 08:15
  • @user2338816 I absolutely agree. The potential vulnerability isn't just your physical box. If your password is stored anywhere your computer has access to then it is potentially vulnerable.. – John Denniston Apr 18 '16 at 08:18