←back to thread

Firefox-Passwords-Decryptor: Extracts and decrypts passwords saved in Firefox

(github.com)
95 points thunderbong | 6 comments | 22 Oct 24 04:23 UTC | HN request time: 0s | source | bottom
Show context
reddalo ◴[22 Oct 24 07:20 UTC] No.41911976[source]
Is it even safe to use browser-integrated password managers? I think they're so much easier to use than external solutions such as KeepassXC, but if it's so easy to decrypt their databases...
replies(5): >>41912021 #>>41912023 #>>41912226 #>>41912321 #>>41913160 #
account42 ◴[22 Oct 24 08:29 UTC] No.41912321[source]
Why is this surprising and why do you expect the situation with external password managers to be different? If you can decrypt it other software running on your computer can too.
replies(1): >>41912392 #
1. graemep ◴[22 Oct 24 08:46 UTC] No.41912392[source]
A password manager integrated with the browser could be compromised by a vulnerability in the browser as well exploited by something running within the browser.
replies(2): >>41912443 #>>41912571 #
2. adrianN ◴[22 Oct 24 08:56 UTC] No.41912443[source]
That depends on how it is designed.
replies(1): >>41912909 #
3. psychoslave ◴[22 Oct 24 09:19 UTC] No.41912571[source]
Well, unless there is zero integration with the browser, then it’s just a matter of time before some exploit will expose how to retrieve arbitrary information from the external tool.

And of course, the external tool can have plenty of exploitable leaks unrelated to whether or not it’s integrated to some browser.

If the goal is to have better security, no method of using password alone will bring significant improvement to an authentication system, no matter how great the password manager it’s used with.

replies(2): >>41912922 #>>41912976 #
4. graemep ◴[22 Oct 24 10:25 UTC] No.41912909[source]
Is Firefox's designed in a way that prevents that?

Given it can automatically insert passwords for a site, something in the browser can access passwords.

5. graemep ◴[22 Oct 24 10:28 UTC] No.41912922[source]
Any tool can have leaks, but integration with an application that connects to large numbers of servers over the internet seems to be a huge increase in attack surface to me, compared to a password manager that is external to the browser.
6. dspillett ◴[22 Oct 24 10:39 UTC] No.41912976[source]
> Well, unless there is zero integration with the browser, then it’s just a matter of time before some exploit…

Which is why my password manager has zero integration directly with the browser, or anything else for that matter. There is a tiny little bit of extra legwork caused by this⁰, but IMO it is a good compromise between convenience and easily available attack surface.

----

[0] and it might be susceptible to attacks that manage to listen to the OS message queue & clipboard where a browser integrated method would not be, but once something is that far into your system there isn't much that is going to help you except maybe an orbital nuke.