Discussion in 'privacy technology' started by softtouch, Jul 14, 2009.
Are the passwords stored by firefox safe or can they easily be retrieved?
I think they are adequate against a website performing the attack, but I don't think they are adequate against someone on the host machine performing an attack. I have seen a password cracker for Mozilla and it work very very very fast. I've seen it recover a 16 character passphrase in less than 30 seconds.
Even with FF 3.5? I thought they changed from base64 to tripple DES or something like that...
That means, if somebody steals the signons?.txt files, he would be able to retrieve all my password? THAT would be really bad.
Edit: You are very much right! I just wrote a small tool and I can easily decrypt FF 3.5 passwords, with a speed of 250 password/s.
This renders FF password management absolutely useless.
Is there any other password program which is really safe?
If you have access to the host machine, you can just read the passwords no need to crack them. See here, and even that piece of code is bloated because it puts the username, password and URL in a nice HTML table instead of dumping to a .txt file.
There is a program called "iStealer" which can be bound to a legit exe which snatches all IE/FF passwords as well as serial numbers for many installed applications and sends them out via FTP. I believe it has anti-sandboxie and anti-vm capabilities also. Nasty stuff.
Take a look at KeePass for storage: http://keepass.info/
I am no expert in any of this stuff but I learned some time ago, from folks who seemed to know, that browser-based password managers are not safe. I try to discourage everyone I can about using one. I agree that an independent password manager like KeePass is a better way to go.
If you put master password nobody could decrypt the info. This is how it's meant to be used.
Yes, this makes it much more secure. Good you mentioned that... I totally forgot about it.
Give a try to PasswordMaker
According to PM FAQ:
«Where are the generated passwords stored?
Nowhere. The generated passwords are calculated on-the-fly as they are needed. The RAM used to store and calculate the generated passwords is proactively cleared to prevent passwords from being stored in a swap file/virtual memory/paging file. »
Separate names with a comma.