Firefox Password Hacking

Firefox is an excellent browser and I personally use it constantly. Installing Firefox is usually the first thing I do after installing a fresh operating system and I use Firefox constantly since I spend many hours on the computer through out the week. One common feature of browsers now a days is the ability to save your passwords. The first time you type in a password on a website, a nice little bar pops up at the top of the browser asking if you would like to remember your password. Sure! Most people gladly click ‘Remember Password’ so that they can be lazy and not type in passwords for websites they constantly visit. I personally do this and also use Foxmarks to sync my bookmarks and passwords between various computers.

So how would you hack these passwords? Well, its not really true hacking but simple copying and pasting of a couple files and you can access anybodies saved Firefox passwords. Wait, WHAT? Firefox creates a profile directory on your computer that stores the various information about your Firefox setup like bookmarks, plugins and history. There are two files that are used to store the passwords.

1. key3.db – This file stores a copy of the encryption key used to encrypt the saved passwords.
2. signons.txt, signons2.txt, or signons3.txt – These files store the saved passwords and as you can tell they are plain text files containing the encrypted passwords and logons. The signons.txt file is from early versions of Firefox 2 and signons2.txt is used in Firefox version 2.0.0.2 and later. You should find the signons3.txt file if you are using Firefox 3 or later.

Ok, so where are these files found? These files are stored in the profile directory which can be accessed by browsing to the profile folder based on which operating system you are using:

• Windows Vista and XP:    %APPDATA%\Mozilla\Firefox\Profiles\
• Mac OS:    ~/Library/Application Support/Firefox/Profiles/

You can visit this Mozilla support page if you need help finding your profile directory.

Now that you have found the profile directory that contains the saved passwords, these two files could be copied to another computer for viewing and accessing the passwords. Lets say that someone wants to gain access to your passwords. I am in no way condoning the stealing of someone’s passwords but I’m just telling you so that you can be aware! If they gain access to your computer for even a few seconds, a skilled, mischievous person could copy the two password files to a thumb drive or even access your computer over a wireless network if you are not running some type of firewall. By copying these two files they could then view your passwords using the method I am about to explain.

Lets say that you have gained access to these two files in some sort of a legitimate manner and you are not trying to steal someone’s passwords. For example, you could just want to move your passwords from one computer which could be done through this method:

1. Create a new profile using the Firefox Profile Manager so that you don’t mess up any of your settings. To open the profile manager, type “firefox.exe -profilemanager” into the “Run” dialog on your Start Menu on Windows or type “/Applications/Firefox.app/Contents/MacOS/firefox -profilemanager” into Terminal on your Mac computer. If you need help opening the profile manager, visit this Mozilla support page.
   
2. Once you have the profile manager opened, select “Create Profile…” and give the profile a meaningful name.
   
3. Then choose “Exit”.
   
4. Open up the Firefox profile directory as mentioned above and look for the profile with the same name after the period as the one you just created in the Profile Manager. It should be of the form “xxxxxxxx.profilenamehere” where the “X”s are random letters and numbers.
5. Copy the two password files, key3.db and signons3.txt that you obtained into this profile directory. If it asks if you want to overwrite the files, say “Yes” so that the empty files are overwritten by the ones that actually contain the passwords. This is why we created a new profile. Otherwise, you would be writing over the saved passwords stored in your Firefox profile.
6. Open up the Firefox Profile Manager again. This time, select the profile that you created and select “Start Firefox”. You should now be in Firefox and will be able to access the saved passwords. To view the passwords, go to “Tools -> Options -> Security -> Saved Passwords …”  and then choose “Show Passwords” at the bottom right of the passwords window.
7. Voila! You should now be able to see all of the passwords stored in the files that were copied from a different computer.

Firefox Profile Manager

Well, now, thats fun! Some dubious person who gains access to your computer for more than a couple seconds could potentially steal all of your passwords. This means that a “back-stabbing” friend, tech support guy from some company like Best Buy or the tech support guys at your workplace could steal your passwords without truly hacking anything. Scary? Yes! People are not aware of how exposed they are and they rarely take the steps to protect themselves.

So how do you avoid someone from easily stealing your passwords and accessing your accounts? The makers of Firefox are not stupid and have built in a feature that allows you to set a Master Password. By default, this Master Password is not set and most people never set a Master Password. (This is exactly what it sounds like by the way…a password for your passwords) You can enable the Master Password by going to “Tools -> Options -> Security” and selecting “Use a master password.”

By setting the Master Password, a mischievous person cannot gain access to your passwords. Even if they were to copy your passwords to a different computer, they would have to know your master password in order to select “Show Passwords” as mentioned in Step 6 of the directions above. Also, when they visit a website that a password has been saved for, they would be prompted to enter the Master Password. This means that you will also have to enter the Master Password the first time a saved password is requested by Firefox after opening your browser. Don’t think of this a nuisance but rather an extra layer of security protecting your online identity. Just imagine if some menacing person gained access to your email, Facebook, bank accounts and other important sites?

Ok, I think the point has been made. Set a Master Password in Firefox so that someone cannot easily steal your passwords and access your various online accounts from the privacy of their comptuer.