←back to thread

Firefox-Passwords-Decryptor: Extracts and decrypts passwords saved in Firefox

(github.com)
95 points thunderbong | 2 comments | 22 Oct 24 04:23 UTC | HN request time: 0s | source
Show context
reddalo ◴[22 Oct 24 07:20 UTC] No.41911976[source]
Is it even safe to use browser-integrated password managers? I think they're so much easier to use than external solutions such as KeepassXC, but if it's so easy to decrypt their databases...
replies(5): >>41912021 #>>41912023 #>>41912226 #>>41912321 #>>41913160 #
eesmith ◴[22 Oct 24 07:29 UTC] No.41912023[source]
What is your risk model? An attacker who can install cameras in your house to see your PIN/password? An attacker with a blunt object and the clear intent to harm you if you don't unlock your phone? Your spouse who you trust enough to loan your device to look at a cat pic?
replies(2): >>41912040 #>>41912107 #
reddalo ◴[22 Oct 24 07:33 UTC] No.41912040[source]
My threat model is accidentally installing malware that reads the database of my passwords. I trust my KeepassXC database because I use a strong and long password, so even if malware can read my KeepassXC file, it won't be able to extract the passwords. I feel like Firefox is not as safe.
replies(3): >>41912050 #>>41912108 #>>41912591 #
eesmith ◴[22 Oct 24 07:45 UTC] No.41912108[source]
So malware which installs a key scanner to read everything you enter is outside of your threat model, as is external surveillance to record what you type.

Choose a password manager which you like. I like having a paper book with a dumb-ass encryption scheme, because my threat model is that I am not going to worry about physical attacks, and servers will detect attempts to brute-force the dumb-ass scheme by adding delays after the first few failures.

I use Firefox's manager for my Mastodon accounts, because no one cares for my 10 followers, and the instance manager can resolve things if needed.

replies(2): >>41912341 #>>41912440 #
0xEF ◴[22 Oct 24 08:36 UTC] No.41912341[source]
Isn't your last paragraph part of the problem, though? To paraphrase, you use Firefox's password manager for things you don't care about. So, those simple passwords are tied to small accounts that, individually add up to nothing, but together start to build a little cache of your emails, throwaway passwords and other tiny bits of data that all get collated with other data scraped about you. This much larger data cache then gets sold and used I attacks like credential stuffing to access even more data, etc.

You're posture is assuming that if it doesn't matter to you, then it doesn't matter at all, and that simply is not true.

replies(2): >>41912470 #>>41912634 #
1. dwattttt ◴[22 Oct 24 09:01 UTC] No.41912470[source]
He stated the higher security model he uses; a paper book. As well as his threat model, which is pretty coherent and relevant in this modern age.

I'd love to see someone "hack" his book, it would be quite the impressive hack.

replies(1): >>41912733 #
2. psychoslave ◴[22 Oct 24 09:51 UTC] No.41912733[source]
Surprising that someone care to invest so much effort in it unless it can unlock some institutional level threats to leverage on for some geo-political negotiation or at least plots between big companies. But impressive hack, not necessarily.

https://xkcd.com/538/

https://xkcd.com/2176/