Wanted: Firefox Wallet Decryption

Surprisngly, when I reposted my Mozilla Password Manager Tricks page, I got a huge influx of traffic. Apparently, this still useful, which is gratifying. Especially since there is a “Show Passwords” button in the Password Manager in newer versions of Mozilla.

Now, for a while (off and on) I’ve been trying to figure out how Firefox encodes passwords. While it looks like base64, it’s not (at least not totally, it’s possible that’s part of the method). It is some form of actual encryption, although I’m sure not too terribly strong. Now, since the code is freely available, it shouldn’t be too difficult to determine the method used to obscure the passwords in the signons.txt file (located in the profile directory). The question is, is this encoding unique to the user’s installation or PC somehow, making a web-based tool hard-to-inpossible, or is there a single key that’s used? If it’s a single method, we can create a tool similar to this for Firefox passwords. This would be very useful since Firefox has no such “Show Passwords” button in the Password Manager. Bookmarklets can’t help reveal passwords in HTTPAuth dialogs, or other username/password dialog boxes, and many people would be unable to use DOMI to view it’s contents.

So, anyone want to step up to the plate? If so, mail me,

Comments

Mine has a show passwords button – get a nightly…

If you remember in Mozilla, there was an option to obscure or encrypt passwords. The obscured passwords were the Base64 encoded ones. The encrypted ones required a master password to be set that was not remembered. In Firefox, encrypted passwords are the new default I believe.

The latest nightlies do seem to have a Show Passwords button in the Password Manager.

So does the Firefox 0.9.3 release. But on my computer, the dialog never listed any passwords, so the dialog was useless to me. It probably has something to do with installing over an existing installation somewhere along the line…

0.9.3 has a button marked show passwords, which brings up the password manager. This lists sites and usernames only.

Nightlies have another button within the manager that actually reveals the passwords after asking for confirmation (like Seamonkey and Thunderbird)

Brant: Obviously encrypted passwords are the default, the question is _HOW_ are they encrypted, through what method? 🙂

i believe part of it has to do with tthe "key3.db" file, at least in firefox.

this is the situation i’m in right now. i backed up some (not all) of the files in my profile when upgrading from 0.8 to 1.0pr. i only copied over the signons.txt file and firefox can’t read it. playing around with a dummy profile revealed that if i copied both the key3 and signons file, it could read the passwords.

this has me in a bit of a pickle.

http://kb.mozillazine.org/S

what sean andrews wrote is quite rt. the key3.db is the encryption key

so voila! now if u can get ur hands on signon.txt and key3.db u can see the passwords stored in it by just hitting the show password button!

A web-based tool would have quite obvious security issues. signon.txt even includes the addresses of the sites.

Check out mozilla\security\nss\cmd\pwdecrypt\pwdecrypt.c

Comments are closed.