Tuesday, May 1, 2012

Firefox passwords

Extracting Firefox passwords

     Firefox stores passwords using functions from their NSS library (Network Security Services). The easiest way to recover passwords saved by FF, without understanding the internals of NSS, is to analyze the code that encrypts the data (security\nss\lib, security\manage\ssl from Firefox source) and use similar functions exported by NSS library (nss3.dll.) for decryption. Encrypted passwords are encoded in Base64, and then stored in a SQLite database, in the Firefox folder under the user profile directory. The decryption key is encrypted (using user master password) and stored together with a salt in key3.db file. 
     An NSS password decryptor is also implemented in the ‘importer’ module from the Chrome browser source tree. 

     Here it's the source code that uses Firefox libraries to extract passwords (unprotected by a master key or with master key specified).  It works the same way as PasswordFox and can be modified/extended the same way.
     Unlike Chrome Passwords or IE,  Firefox passwords are not related to the logged on user, can be dumped offline if unprotected,  and key3.db keys can be brute forced in case a master password is used.


     Some tips for using master password include:
  • Enable master password
  • Chose a good strong master password and you'l be fine until 2020 (3DES in CBC mode)
  • Avoid sniffers by using a password management software that supports this (Latest version of KeePass has very important security features that, if used correctly, can secure the passwords and even make key-logging useless (erase clipboard, block clipboard monitors, auto-type, auto-type obfuscations)