Tag Archives: mozilla

How FF store your passwords? Is it secure?

Introduction

I wanted to know more about how Firefox hold saved password when I was backing up my machine (http://realinfosec.blogspot.com/2009/08/backup-files-on-vista.html)

There are some online tools for this purpose. The most well known one is Xmarks ( previously foxmarks). I don’t want to use it since I was not sure how secure their server.

They provide using your ftp server as an option. However, as you know ftp itself is not a secure protocol. So I started to dig about the way Firefox use to store password.

Password Files

After some research, here is what I found: Firefox stores passwords in two different files:

key3.db: This file stores your key database for your passwords. To transfer saved passwords, you must copy this file along with the following file.

signons.sqlite: This file stores saved passwords. ( Google’s Android OS for cellphones and other small devices includes SQLite.)

Both of these two files are located on the Firefox profile directory.

Linux –> ~/.mozilla/firefox/<profile folder>

Windows Vista/XP/2000 –>      %APPDATA%\Mozilla\Firefox\Profiles\xxxxxxxx.default\
Windows 98/Me –>     C:\WINDOWS\Application Data\Mozilla\Firefox\Profiles\xxxxxxxx.default\

Mac –> ~/Library/Mozilla/Firefox/Profiles/<profile folder>
~/Library/Application Support/Firefox/Profiles/<profile folder>

If you upgrade your Firefox from a previous versions you will see some thing like signons3.txt. In this case firefox stores password in a text file (yes, you read it right!).

This was one of the weakest part of firefox passwords. Before SQLite, firefox kept password in a text file. The file name was signons.txt before Firefox 1..5. signons.txt did not only store passwords but also stored a list of sites which password are never saved.

After FF team found a bug ( I strongly suggest to read about this interesting myspace bug! ) they started to use signons2.txt. With Firefox 3.0, this file is replaced by signons3.txt. And now we have signons.sqlite. That was the evolution of password file.

Now let’s look at how Firefox encrypt saved passwords.

Encryption

There are basically two cases:

1-) Master password is not set: Are you kidding? I hope you will set it right away after read next sentence. If master password is not set, Firefox stores passwords in Base 64 encoding! –

Basically this means, there is real NO ENCRYPTION! Everybody who have access your signons.txt can decode your password easily. PasswordViewer from EdMullen is a nice a decoder for this purpose.

2-) Master password is set: In this case, all saved passwords are encrypted by using the master password and stored on signons.txt and signons.sqlite

You may want to know what encryption algoritm Firefox uses. It is TripleDES (CBC mode). If you want to use more secure encryption method you can use Federal Information Processing Standard (FIPS) 140:

Tools-> Options-> Advanced-> Encryption-> Security Devices-> Software Security Devices->NSS Internal PKCS #11 Module -> Enable FIPS

Then, disable all the non-FIPS TLS cipher suites in about:config

For more info check here.

How to Choose a Strong Master Password

Master key for the encryption algorithm are made from salt which is stored on key3.db and Master Password. This key is used to decrypt saved passwords.

This means, security of saved password is directly related to strength of master password. To choose a strong master password, consider followings:

1-) It should be easy to remember for YOU and hard to guess for OTHERS.

2-) Mozilla (and most other companies such as Microsoft) suggest using at least 8 character with upper case, lower case, number and a special symbol like #, $ % etc,

However, do you think this will fulfill the first part of the first requirement? In other words this alpha numeric + special character password will be easy remember?

If you think you have really good memory then you can set your master password in this way. However, you should remember that master password is not easily recoverable. ( I will write another blog post how to recover, hack, your master password) You can reset it but this will remove all of the saved password from database.

3-) You can have a sentence or phrase which you can remember easily:

Itishardertocrackaprejudicethananatom”

In this way you won’t have hard time to remember the password and it won’t be cracked easily (Almost impossible)

Conclusion

1- ) If you want ff save your password, then use master password to protect them.

2- )If you want to transfer your saved password on firefox, then copy singonsN.txt, signons.sqlite and key3.db to your Firefox profile directory.

Another blog post will be made to explain how to hack/recover Firefox password.

 

Update: I made a blog post about SQLite Database Browser. You can use SQLite db browser to learn more about fields in firefox databases.