←back to thread

Firefox-Passwords-Decryptor: Extracts and decrypts passwords saved in Firefox

(github.com)
95 points thunderbong | 10 comments | 22 Oct 24 04:23 UTC | HN request time: 0.003s | source | bottom
Show context
reddalo ◴[22 Oct 24 07:20 UTC] No.41911976[source]
Is it even safe to use browser-integrated password managers? I think they're so much easier to use than external solutions such as KeepassXC, but if it's so easy to decrypt their databases...
replies(5): >>41912021 #>>41912023 #>>41912226 #>>41912321 #>>41913160 #
eesmith ◴[22 Oct 24 07:29 UTC] No.41912023[source]
What is your risk model? An attacker who can install cameras in your house to see your PIN/password? An attacker with a blunt object and the clear intent to harm you if you don't unlock your phone? Your spouse who you trust enough to loan your device to look at a cat pic?
replies(2): >>41912040 #>>41912107 #
1. reddalo ◴[22 Oct 24 07:33 UTC] No.41912040[source]
My threat model is accidentally installing malware that reads the database of my passwords. I trust my KeepassXC database because I use a strong and long password, so even if malware can read my KeepassXC file, it won't be able to extract the passwords. I feel like Firefox is not as safe.
replies(3): >>41912050 #>>41912108 #>>41912591 #
2. xvector ◴[22 Oct 24 07:35 UTC] No.41912050[source]
Your malware would still need the password for the PBKDF step to decrypt the Firefox database
3. eesmith ◴[22 Oct 24 07:45 UTC] No.41912108[source]
So malware which installs a key scanner to read everything you enter is outside of your threat model, as is external surveillance to record what you type.

Choose a password manager which you like. I like having a paper book with a dumb-ass encryption scheme, because my threat model is that I am not going to worry about physical attacks, and servers will detect attempts to brute-force the dumb-ass scheme by adding delays after the first few failures.

I use Firefox's manager for my Mastodon accounts, because no one cares for my 10 followers, and the instance manager can resolve things if needed.

replies(2): >>41912341 #>>41912440 #
4. 0xEF ◴[22 Oct 24 08:36 UTC] No.41912341[source]
Isn't your last paragraph part of the problem, though? To paraphrase, you use Firefox's password manager for things you don't care about. So, those simple passwords are tied to small accounts that, individually add up to nothing, but together start to build a little cache of your emails, throwaway passwords and other tiny bits of data that all get collated with other data scraped about you. This much larger data cache then gets sold and used I attacks like credential stuffing to access even more data, etc.

You're posture is assuming that if it doesn't matter to you, then it doesn't matter at all, and that simply is not true.

replies(2): >>41912470 #>>41912634 #
5. Fokamul ◴[22 Oct 24 08:56 UTC] No.41912440[source]
Trust me, automated bot sending malware always care about your accounts.
6. dwattttt ◴[22 Oct 24 09:01 UTC] No.41912470{3}[source]
He stated the higher security model he uses; a paper book. As well as his threat model, which is pretty coherent and relevant in this modern age.

I'd love to see someone "hack" his book, it would be quite the impressive hack.

replies(1): >>41912733 #
7. gruez ◴[22 Oct 24 09:22 UTC] No.41912591[source]
>I trust my KeepassXC database because I use a strong and long password, so even if malware can read my KeepassXC file, it won't be able to extract the passwords. I feel like Firefox is not as safe.

You can set a "primary password" for firefox's password manager, meaning that you first have to enter a password before you can access the stored passwords. That should provide equivalent security to using KeepassXC.

replies(1): >>41912950 #
8. eesmith ◴[22 Oct 24 09:29 UTC] No.41912634{3}[source]
> little cache of your emails, throwaway passwords

I have five passwords in my Firefox manager. (More if I include the ones which are no longer valid, like a few ftp passwords, and passwords to routers I no longer use.)

I think I'm safe.

I avoid online services which require identity as much as I can, because yes, any data builds up. Which means, yes, I buy things in stores, not online, I use cash, not credit/debit/e-cash, and I don't use apps.

If you do use online services, apps, etc., then it sure feels like you are assuming that information leak doesn't matter to you, so it doesn't matter at all.

9. psychoslave ◴[22 Oct 24 09:51 UTC] No.41912733{4}[source]
Surprising that someone care to invest so much effort in it unless it can unlock some institutional level threats to leverage on for some geo-political negotiation or at least plots between big companies. But impressive hack, not necessarily.

https://xkcd.com/538/

https://xkcd.com/2176/

10. reddalo ◴[22 Oct 24 10:33 UTC] No.41912950[source]
> You can set a "primary password" for firefox's password manager

Wow. I've been using Firefox for 18+ years and I've never knew about this feature! Thanks!