Tag Archives: password

How FF store your passwords? Is it secure?

Introduction

I wanted to know more about how Firefox hold saved password when I was backing up my machine (http://realinfosec.blogspot.com/2009/08/backup-files-on-vista.html)

There are some online tools for this purpose. The most well known one is Xmarks ( previously foxmarks). I don’t want to use it since I was not sure how secure their server.

They provide using your ftp server as an option. However, as you know ftp itself is not a secure protocol. So I started to dig about the way Firefox use to store password.

Password Files

After some research, here is what I found: Firefox stores passwords in two different files:

key3.db: This file stores your key database for your passwords. To transfer saved passwords, you must copy this file along with the following file.

signons.sqlite: This file stores saved passwords. ( Google’s Android OS for cellphones and other small devices includes SQLite.)

Both of these two files are located on the Firefox profile directory.

Linux –> ~/.mozilla/firefox/<profile folder>

Windows Vista/XP/2000 –>      %APPDATA%\Mozilla\Firefox\Profiles\xxxxxxxx.default\
Windows 98/Me –>     C:\WINDOWS\Application Data\Mozilla\Firefox\Profiles\xxxxxxxx.default\

Mac –> ~/Library/Mozilla/Firefox/Profiles/<profile folder>
~/Library/Application Support/Firefox/Profiles/<profile folder>

If you upgrade your Firefox from a previous versions you will see some thing like signons3.txt. In this case firefox stores password in a text file (yes, you read it right!).

This was one of the weakest part of firefox passwords. Before SQLite, firefox kept password in a text file. The file name was signons.txt before Firefox 1..5. signons.txt did not only store passwords but also stored a list of sites which password are never saved.

After FF team found a bug ( I strongly suggest to read about this interesting myspace bug! ) they started to use signons2.txt. With Firefox 3.0, this file is replaced by signons3.txt. And now we have signons.sqlite. That was the evolution of password file.

Now let’s look at how Firefox encrypt saved passwords.

Encryption

There are basically two cases:

1-) Master password is not set: Are you kidding? I hope you will set it right away after read next sentence. If master password is not set, Firefox stores passwords in Base 64 encoding! –

Basically this means, there is real NO ENCRYPTION! Everybody who have access your signons.txt can decode your password easily. PasswordViewer from EdMullen is a nice a decoder for this purpose.

2-) Master password is set: In this case, all saved passwords are encrypted by using the master password and stored on signons.txt and signons.sqlite

You may want to know what encryption algoritm Firefox uses. It is TripleDES (CBC mode). If you want to use more secure encryption method you can use Federal Information Processing Standard (FIPS) 140:

Tools-> Options-> Advanced-> Encryption-> Security Devices-> Software Security Devices->NSS Internal PKCS #11 Module -> Enable FIPS

Then, disable all the non-FIPS TLS cipher suites in about:config

For more info check here.

How to Choose a Strong Master Password

Master key for the encryption algorithm are made from salt which is stored on key3.db and Master Password. This key is used to decrypt saved passwords.

This means, security of saved password is directly related to strength of master password. To choose a strong master password, consider followings:

1-) It should be easy to remember for YOU and hard to guess for OTHERS.

2-) Mozilla (and most other companies such as Microsoft) suggest using at least 8 character with upper case, lower case, number and a special symbol like #, $ % etc,

However, do you think this will fulfill the first part of the first requirement? In other words this alpha numeric + special character password will be easy remember?

If you think you have really good memory then you can set your master password in this way. However, you should remember that master password is not easily recoverable. ( I will write another blog post how to recover, hack, your master password) You can reset it but this will remove all of the saved password from database.

3-) You can have a sentence or phrase which you can remember easily:

Itishardertocrackaprejudicethananatom”

In this way you won’t have hard time to remember the password and it won’t be cracked easily (Almost impossible)

Conclusion

1- ) If you want ff save your password, then use master password to protect them.

2- )If you want to transfer your saved password on firefox, then copy singonsN.txt, signons.sqlite and key3.db to your Firefox profile directory.

Another blog post will be made to explain how to hack/recover Firefox password.

 

Update: I made a blog post about SQLite Database Browser. You can use SQLite db browser to learn more about fields in firefox databases.

Wireless Security @ Home

Wireless security is important in the home network for several reasons: The most obvious reason is someone gain access your wireless network easily and spy on your online activities. If they are educated crackers then they can even access your hard drive easily. Another reason is some one can use your wireless network and conduct some illegal activities. You will be responsible all activities they do by using your wireless network since you are owner of the ip.

so now question is how to make your wireless network secure. The steps I will mention below are easy to implement.

  1. Use WPA encryption with strong password
  2. Enable MAC filtering on your router (Plus some other configurations

Now I will discuss these two steps here:

Using encryption and strong password

If you don’t use any encryption for your wireless, that means any body can access your wireless network if their machine are in your wireless antenna’s transmission range. Ok, so we need to use encryption but which one; WEP or WPA ?

WEP stands for Wired Equivalent Privacy. It is introduced in the 1997. It worked well at the beginning, however security analysts discovered that WEP could suffer from Related-key attack. Basically, it means a kid can hack your WEP protected network in 10 minutes by using some hacking applications. Ok, let’s use WPA, but remember we still need to choose a strong password, the password should not be guessable by others. I have two suggestion for you for choosing the password:

1-)It should contain at least one special character, one lower and upper case and one number. The length should be more than 8 characters.

2-) If you don’t like first suggestion then take this one: Use a long phrase, or a sentence; it should be easy to remember for you but hard to guess for crackers- something like ” It is harder to crack a prejudice than an atom.” or “Let freedom ring from the curvaceous slopes of California!”

Later, I will mention WEP and WPA as well as choosing strong password in detail.

Enable MAC filtering on your router (Plus some other configurations)

Mac filtering makes your network accepts  only the computers which you want to have access. Oh, now I can hear that you are saying ” Hey Ismail, we already choose a good encryption method and a strong password, aren’t  those enough? why do we need to use MAC filter?!”

Well, there are two reasons. First reason is some of modems don’t support WPA (like mine!) so you must use mac filter to be sure that you have a protected network. Second reason is even though WPA is strong encryption mechanism, it can still be hacked by using dictionary attack ( a kind of brute force attack). If you watch that kid’s video and realize how a kid can hack your wpa by using simple tools and probably not knowing how they work but knowing what they do;  I can hear that you are now saying “Thanks, thanks Ismail, you saved our network by suggesting mac filtering:-)”

Ahh, I didn’t mention how to set up mac filtering. Ok, if you are using Linux then go to terminal and type route, the ip with G flag is your gate way. For Windows users,  start->run->cmd.exe (or simply start->type cmd in search box for vista) then type ipconfig. Your router ip is the ip of Default Gateway- usually 192.168.2.1 or 192.168.0.1-

After you determine your router’s ip, then type that ip in your browser. You will see your router page, login there, and change your default password and user name. This is so important, other wise anybody who can access your router webpage, can change your encryption password, router password, firewall configurations….

After that, check your firewall settings and be sure that it is on.  Finally add your mac address in the mac filter. (You can get your mac address with ipconfig /all command on Windows or ifconfig command in Linux and Mac-)

I think we are done! Congrats!!

Summary

Having strong password with WPA encryption, configuring your router and change its default password, using mac filtering, turning your router’s firewall on make your network more secure and protected.