10
In a fear-driven reaction to recent hacking events I thought over my password strategy. The basic question is are my saved passwords in FireFox safe from remote access?
I.e. where are they kept, are they kept in plain text, are there known vulnerabilities.
I run OS X 10.6 & Windows 7.
mbb
Posted 2011-04-05T17:43:04.213
Reputation: 2 206
10
Firefox keeps your passwords in your profile, and in most/all versions since v2.0 this data is encrypted.
Check out here: http://kb.mozillazine.org/Profile_folder_-_Firefox for locations of the password files on Windows (various versions), Linux and Mac.
- key3.db - Key database
- signons.txt - Previous to 2.0.0.2 - Encrypted saved passwords, requires key3.db to work
- signons2.txt - 2.0.0.2 and above - Encrypted saved passwords (and URL exceptions where "NEVER SAVE PASSWORD" is selected), requires key3.db to work
- signons3.txt - 3.0 and above - Encrypted saved passwords (and URL exceptions where "NEVER SAVE PASSWORD" is selected), requires key3.db to work
- signons.sqlite - 3.5 and above - Encrypted saved passwords (and URL exceptions where "NEVER SAVE PASSWORD" is selected), requires key3.db to work.
Ƭᴇcʜιᴇ007
Posted 2011-04-05T17:43:04.213
Reputation: 103 763
5
From Firefox Help - Recovering important data from an old profile:
Your passwords are stored in two different files, both of which are required:
- key3.db - This file stores your key database for your passwords. To transfer saved passwords, you must copy this file along with the following file.
- signons.sqlite - Saved passwords.
Thus, I would try searching your computer for these two files and checking them out for yourself...
studiohack
Posted 2011-04-05T17:43:04.213
Reputation: 13 125
I wouldn't trust it though. My friend installed Chrome and it was able to copy his passwords over. If Chrome can do it, viruses can. – beatgammit – 2011-04-05T17:51:28.123
He didn't use encryption in that case. If he did, this wouldn't work. – Henno – 2011-04-05T17:55:22.097
If the OP encrypted these files, he would be safe... – studiohack – 2011-04-05T17:59:14.607
1tjameson suggests that since Chrome can copy the passwords they are not safe. This isn't necessarily so. The passwords are encrypted using the master password. Chrome can copy the files containing the encrypted password, and it can decrypt them if it has the master password. It knows how to decrypt them because the method of encryption is public. It's the key (the master password) that keeps things safe. So the reason Chrome was able to decrypt the file was that the user supplied the master password. – Wayne Johnston – 2011-04-06T01:31:05.470
2
password forensics has an overview and tools for recovery. The latter is a brute force attack on the master password (if you have it, which you should). The security is as good as your password, basically. This link has more details (same site).
Henno
Posted 2011-04-05T17:43:04.213
Reputation: 639
-1
"...Firefox does encrypt the passwords you ask it to remember..." Source
But it's also important to note that anyone who has access to your computer can easily access all of your remembered passwords.
Tools -> Options -> Security tab -> Saved Passwords -> Show Passwords
Ryan
Posted 2011-04-05T17:43:04.213
Reputation: 1 488
2My friend had a master password set, but that wasn't enough to stop Chrome from copying the passwords over. I wouldn't trust the security of it. Any virus that knows how to make SQLite queries can recover data. – beatgammit – 2011-04-05T17:57:16.153
1
Firefox does encrypt the passwords if you use a master password. See http://support.mozilla.com/en-US/kb/Options%20window%20-%20Security%20panel?as=u#w_passwords.
– Wayne Johnston – 2011-04-06T01:27:03.370
4But what kind of encryption does Firefox use? I can find no Mozilla web page that makes this clear. They just say "encrypted" which is less than informative. – rlandster – 2012-05-20T07:20:50.710