How safe are the by firefox stored passwords?

Discussion in 'privacy technology' started by softtouch, Jul 14, 2009.

Thread Status:
Not open for further replies.
  1. softtouch

    softtouch Registered Member

    Joined:
    Jan 31, 2006
    Posts:
    415
    Are the passwords stored by firefox safe or can they easily be retrieved?
     
    softtouch, Jul 14, 2009
    #1
  2. SteveTX

    SteveTX Registered Member

    Joined:
    Mar 27, 2007
    Posts:
    1,641
    Location:
    TX
    I think they are adequate against a website performing the attack, but I don't think they are adequate against someone on the host machine performing an attack. I have seen a password cracker for Mozilla and it work very very very fast. I've seen it recover a 16 character passphrase in less than 30 seconds.
     
    SteveTX, Jul 14, 2009
    #2
  3. softtouch

    softtouch Registered Member

    Joined:
    Jan 31, 2006
    Posts:
    415
    Even with FF 3.5? I thought they changed from base64 to tripple DES or something like that...

    That means, if somebody steals the signons?.txt files, he would be able to retrieve all my password? THAT would be really bad.


    Edit: You are very much right! I just wrote a small tool and I can easily decrypt FF 3.5 passwords, with a speed of 250 password/s.
    This renders FF password management absolutely useless.
    Is there any other password program which is really safe?
     
    Last edited: Jul 14, 2009
    softtouch, Jul 14, 2009
    #3
  4. 1boss1

    1boss1 Registered Member

    Joined:
    Jun 26, 2009
    Posts:
    401
    Location:
    Australia
    If you have access to the host machine, you can just read the passwords no need to crack them. See here, and even that piece of code is bloated because it puts the username, password and URL in a nice HTML table instead of dumping to a .txt file.

    There is a program called "iStealer" which can be bound to a legit exe which snatches all IE/FF passwords as well as serial numbers for many installed applications and sends them out via FTP. I believe it has anti-sandboxie and anti-vm capabilities also. Nasty stuff.

    Take a look at KeePass for storage: http://keepass.info/
     
    1boss1, Jul 14, 2009
    #4
  5. HAN

    HAN Registered Member

    Joined:
    Feb 24, 2005
    Posts:
    2,098
    Location:
    USA
    I am no expert in any of this stuff but I learned some time ago, from folks who seemed to know, that browser-based password managers are not safe. I try to discourage everyone I can about using one. I agree that an independent password manager like KeePass is a better way to go.
     
    HAN, Jul 14, 2009
    #5
  6. faterider

    faterider Registered Member

    Joined:
    Nov 6, 2004
    Posts:
    64
    If you put master password nobody could decrypt the info. This is how it's meant to be used.
     
    faterider, Jul 14, 2009
    #6
  7. softtouch

    softtouch Registered Member

    Joined:
    Jan 31, 2006
    Posts:
    415
    Yes, this makes it much more secure. Good you mentioned that... I totally forgot about it.
     
    softtouch, Jul 14, 2009
    #7
  8. Climenole

    Climenole Look 'n' Stop Expert

    Joined:
    Jun 3, 2005
    Posts:
    1,637
    Hi all :)

    Give a try to PasswordMaker
    https://addons.mozilla.org/fr/firefox/addon/469

    According to PM FAQ:

    «Where are the generated passwords stored?

    Nowhere. The generated passwords are calculated on-the-fly as they are needed. The RAM used to store and calculate the generated passwords is proactively cleared to prevent passwords from being stored in a swap file/virtual memory/paging file. »

    FAQ PasswordMaker

    :)
     
    Climenole, Jul 20, 2009
    #8
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...