Most active commenters
  • eesmith(4)
  • reddalo(3)
  • graemep(3)

←back to thread

Firefox-Passwords-Decryptor: Extracts and decrypts passwords saved in Firefox

(github.com)
95 points thunderbong | 27 comments | 22 Oct 24 04:23 UTC | HN request time: 0.617s | source | bottom
1. reddalo ◴[22 Oct 24 07:20 UTC] No.41911976[source]
Is it even safe to use browser-integrated password managers? I think they're so much easier to use than external solutions such as KeepassXC, but if it's so easy to decrypt their databases...
replies(5): >>41912021 #>>41912023 #>>41912226 #>>41912321 #>>41913160 #
2. mrweasel ◴[22 Oct 24 07:29 UTC] No.41912021[source]
I never found a way to lock the password manager in Firefox with its own password. They probably aren't bad, but they are also way behind on features and general usability, as compared to standalone password managers.

If you have passwords that are used outside the browser, putting them into the browsers password manager, getting them out feels a little cumbersome.

Related to the tool: Why not just click the export button in Firefox?

replies(1): >>41912162 #
3. eesmith ◴[22 Oct 24 07:29 UTC] No.41912023[source]
What is your risk model? An attacker who can install cameras in your house to see your PIN/password? An attacker with a blunt object and the clear intent to harm you if you don't unlock your phone? Your spouse who you trust enough to loan your device to look at a cat pic?
replies(2): >>41912040 #>>41912107 #
4. reddalo ◴[22 Oct 24 07:33 UTC] No.41912040[source]
My threat model is accidentally installing malware that reads the database of my passwords. I trust my KeepassXC database because I use a strong and long password, so even if malware can read my KeepassXC file, it won't be able to extract the passwords. I feel like Firefox is not as safe.
replies(3): >>41912050 #>>41912108 #>>41912591 #
5. xvector ◴[22 Oct 24 07:35 UTC] No.41912050{3}[source]
Your malware would still need the password for the PBKDF step to decrypt the Firefox database
6. otabdeveloper4 ◴[22 Oct 24 07:45 UTC] No.41912107[source]
> risk model

Hah. Don't bother us with your mumbo-jumbo, we're doing computer security here.

replies(1): >>41912171 #
7. eesmith ◴[22 Oct 24 07:45 UTC] No.41912108{3}[source]
So malware which installs a key scanner to read everything you enter is outside of your threat model, as is external surveillance to record what you type.

Choose a password manager which you like. I like having a paper book with a dumb-ass encryption scheme, because my threat model is that I am not going to worry about physical attacks, and servers will detect attempts to brute-force the dumb-ass scheme by adding delays after the first few failures.

I use Firefox's manager for my Mastodon accounts, because no one cares for my 10 followers, and the instance manager can resolve things if needed.

replies(2): >>41912341 #>>41912440 #
8. chungy ◴[22 Oct 24 07:54 UTC] No.41912162[source]
Check "Use a Primary Password" in preferences.
replies(1): >>41913224 #
9. eesmith ◴[22 Oct 24 07:56 UTC] No.41912171{3}[source]
I will take Kamchatka from Alaska, using my model cannon, my model horsemen and my three model soldiers.
10. sureIy ◴[22 Oct 24 08:07 UTC] No.41912226[source]
Safari's absolutely. It uses a OS-wide keychain secured via hardware.
replies(1): >>41913007 #
11. account42 ◴[22 Oct 24 08:29 UTC] No.41912321[source]
Why is this surprising and why do you expect the situation with external password managers to be different? If you can decrypt it other software running on your computer can too.
replies(1): >>41912392 #
12. 0xEF ◴[22 Oct 24 08:36 UTC] No.41912341{4}[source]
Isn't your last paragraph part of the problem, though? To paraphrase, you use Firefox's password manager for things you don't care about. So, those simple passwords are tied to small accounts that, individually add up to nothing, but together start to build a little cache of your emails, throwaway passwords and other tiny bits of data that all get collated with other data scraped about you. This much larger data cache then gets sold and used I attacks like credential stuffing to access even more data, etc.

You're posture is assuming that if it doesn't matter to you, then it doesn't matter at all, and that simply is not true.

replies(2): >>41912470 #>>41912634 #
13. graemep ◴[22 Oct 24 08:46 UTC] No.41912392[source]
A password manager integrated with the browser could be compromised by a vulnerability in the browser as well exploited by something running within the browser.
replies(2): >>41912443 #>>41912571 #
14. Fokamul ◴[22 Oct 24 08:56 UTC] No.41912440{4}[source]
Trust me, automated bot sending malware always care about your accounts.
15. adrianN ◴[22 Oct 24 08:56 UTC] No.41912443{3}[source]
That depends on how it is designed.
replies(1): >>41912909 #
16. dwattttt ◴[22 Oct 24 09:01 UTC] No.41912470{5}[source]
He stated the higher security model he uses; a paper book. As well as his threat model, which is pretty coherent and relevant in this modern age.

I'd love to see someone "hack" his book, it would be quite the impressive hack.

replies(1): >>41912733 #
17. psychoslave ◴[22 Oct 24 09:19 UTC] No.41912571{3}[source]
Well, unless there is zero integration with the browser, then it’s just a matter of time before some exploit will expose how to retrieve arbitrary information from the external tool.

And of course, the external tool can have plenty of exploitable leaks unrelated to whether or not it’s integrated to some browser.

If the goal is to have better security, no method of using password alone will bring significant improvement to an authentication system, no matter how great the password manager it’s used with.

replies(2): >>41912922 #>>41912976 #
18. gruez ◴[22 Oct 24 09:22 UTC] No.41912591{3}[source]
>I trust my KeepassXC database because I use a strong and long password, so even if malware can read my KeepassXC file, it won't be able to extract the passwords. I feel like Firefox is not as safe.

You can set a "primary password" for firefox's password manager, meaning that you first have to enter a password before you can access the stored passwords. That should provide equivalent security to using KeepassXC.

replies(1): >>41912950 #
19. eesmith ◴[22 Oct 24 09:29 UTC] No.41912634{5}[source]
> little cache of your emails, throwaway passwords

I have five passwords in my Firefox manager. (More if I include the ones which are no longer valid, like a few ftp passwords, and passwords to routers I no longer use.)

I think I'm safe.

I avoid online services which require identity as much as I can, because yes, any data builds up. Which means, yes, I buy things in stores, not online, I use cash, not credit/debit/e-cash, and I don't use apps.

If you do use online services, apps, etc., then it sure feels like you are assuming that information leak doesn't matter to you, so it doesn't matter at all.

20. psychoslave ◴[22 Oct 24 09:51 UTC] No.41912733{6}[source]
Surprising that someone care to invest so much effort in it unless it can unlock some institutional level threats to leverage on for some geo-political negotiation or at least plots between big companies. But impressive hack, not necessarily.

https://xkcd.com/538/

https://xkcd.com/2176/

21. graemep ◴[22 Oct 24 10:25 UTC] No.41912909{4}[source]
Is Firefox's designed in a way that prevents that?

Given it can automatically insert passwords for a site, something in the browser can access passwords.

22. graemep ◴[22 Oct 24 10:28 UTC] No.41912922{4}[source]
Any tool can have leaks, but integration with an application that connects to large numbers of servers over the internet seems to be a huge increase in attack surface to me, compared to a password manager that is external to the browser.
23. reddalo ◴[22 Oct 24 10:33 UTC] No.41912950{4}[source]
> You can set a "primary password" for firefox's password manager

Wow. I've been using Firefox for 18+ years and I've never knew about this feature! Thanks!

24. dspillett ◴[22 Oct 24 10:39 UTC] No.41912976{4}[source]
> Well, unless there is zero integration with the browser, then it’s just a matter of time before some exploit…

Which is why my password manager has zero integration directly with the browser, or anything else for that matter. There is a tiny little bit of extra legwork caused by this⁰, but IMO it is a good compromise between convenience and easily available attack surface.

----

[0] and it might be susceptible to attacks that manage to listen to the OS message queue & clipboard where a browser integrated method would not be, but once something is that far into your system there isn't much that is going to help you except maybe an orbital nuke.

25. larschdk ◴[22 Oct 24 10:45 UTC] No.41913007[source]
Does this prevent other software running on the same hardware from accessing the keychain?

E.g. on Windows, any program can access the entirety of the credential store for the current user.

26. paulryanrogers ◴[22 Oct 24 11:16 UTC] No.41913160[source]
Every KeePass-based solution I've tried was far from ready for normal users. Because they need browser integration out of the box, and it has to be smooth. Even BitWarden is still too difficult to use.
27. blibble ◴[22 Oct 24 11:27 UTC] No.41913224{3}[source]
reasonably certain this doesn't encrypt your cookies

which are in some cases better than your passwords (already passed 2FA, etc)