In a fear-driven reaction to recent hacking events I thought over my password strategy. The basic question is are my saved passwords in FireFox safe from remote access?
I.e. where are they kept, are they kept in plain text, are there known vulnerabilities.
I run OS X 10.6 & Windows 7.
14 Answers
Firefox keeps your passwords in your profile, and in most/all versions since v2.0 this data is encrypted.
Check out here: for locations of the password files on Windows (various versions), Linux and Mac.
2
- key3.db - Key database
- signons.txt - Previous to 2.0.0.2 - Encrypted saved passwords, requires key3.db to work
- signons2.txt - 2.0.0.2 and above - Encrypted saved passwords (and URL exceptions where "NEVER SAVE PASSWORD" is selected), requires key3.db to work
- signons3.txt - 3.0 and above - Encrypted saved passwords (and URL exceptions where "NEVER SAVE PASSWORD" is selected), requires key3.db to work
- signons.sqlite - 3.5 and above - Encrypted saved passwords (and URL exceptions where "NEVER SAVE PASSWORD" is selected), requires key3.db to work.
From Firefox Help - Recovering important data from an old profile:
Your passwords are stored in two different files, both of which are required:
- key3.db - This file stores your key database for your passwords. To transfer saved passwords, you must copy this file along with the following file.
- signons.sqlite - Saved passwords.
Thus, I would try searching your computer for these two files and checking them out for yourself...
4password forensics has an overview and tools for recovery. The latter is a brute force attack on the master password (if you have it, which you should). The security is as good as your password, basically. This link has more details (same site).
0"...Firefox does encrypt the passwords you ask it to remember..." Source
But it's also important to note that anyone who has access to your computer can easily access all of your remembered passwords.
Tools -> Options -> Security tab -> Saved Passwords -> Show Passwords
