←back to thread

Firefox-Passwords-Decryptor: Extracts and decrypts passwords saved in Firefox

(github.com)
110 points thunderbong | 2 comments | 22 Oct 24 04:23 UTC | HN request time: 0s | source
Show context
reddalo ◴[22 Oct 24 07:20 UTC] No.41911976[source]
Is it even safe to use browser-integrated password managers? I think they're so much easier to use than external solutions such as KeepassXC, but if it's so easy to decrypt their databases...
replies(5): >>41912021 #>>41912023 #>>41912226 #>>41912321 #>>41913160 #
sureIy ◴[22 Oct 24 08:07 UTC] No.41912226[source]
Safari's absolutely. It uses a OS-wide keychain secured via hardware.
replies(2): >>41913007 #>>41917232 #
larschdk ◴[22 Oct 24 10:45 UTC] No.41913007[source]
Does this prevent other software running on the same hardware from accessing the keychain?

E.g. on Windows, any program can access the entirety of the credential store for the current user.

replies(1): >>41914830 #
bdash ◴[22 Oct 24 14:45 UTC] No.41914830[source]
Each keychain item on macOS has an access control list associated with it that lists the applications that are granted access to the keychain item. If an application not on the ACL attempts to access a keychain item, macOS prompts the user for authorization. The ACL entries identify applications based on properties of their code signature and so are not spoofable.
replies(1): >>41916168 #
1. sureIy ◴[22 Oct 24 16:49 UTC] No.41916168[source]
Correct. The best part of this system (Keychain Access) is that it has been around for more than 20 years. Only this year it got a UX makeover.

One interesting thing I noticed is that Chrome and Firefox can also seamlessly see and use Passkeys I stored in Safari even if normally they don't read the passwords from there.

Using each passkey however still requires a fingerprint every time.

replies(1): >>42013212 #
2. bdash ◴[01 Nov 24 01:27 UTC] No.42013212[source]
Passkeys are a different story than the keychain more generally. Other browsers that work with passkeys via the system APIs had to jump through hoops and get Apple's approval to do so: https://developer.apple.com/documentation/bundleresources/en...