Firefox-Passwords-Decryptor: Extracts and decrypts passwords saved in Firefox

48
20
thunderbong
3 hours ago
github.com

MaxGripe
·
38 seconds ago
·
[ - ]

At work, we use 1Password, but for personal use, I recommend 0Password https://0password.github.io/ which I made myself :)

reddalo
·
13 minutes ago
·
[ - ]

Is it even safe to use browser-integrated password managers? I think they're so much easier to use than external solutions such as KeepassXC, but if it's so easy to decrypt their databases...

mrweasel
·
5 minutes ago
·
[ - ]

I never found a way to lock the password manager in Firefox with its own password. They probably aren't bad, but they are also way behind on features and general usability, as compared to standalone password managers.

If you have passwords that are used outside the browser, putting them into the browsers password manager, getting them out feels a little cumbersome.

Related to the tool: Why not just click the export button in Firefox?

eesmith
·
4 minutes ago
·
[ - ]

What is your risk model? An attacker who can install cameras in your house to see your PIN/password? An attacker with a blunt object and the clear intent to harm you if you don't unlock your phone? Your spouse who you trust enough to loan your device to look at a cat pic?

reddalo
·
1 minute ago
·
[ - ]

My threat model is accidentally installing malware that reads the database of my passwords. I trust my KeepassXC database because I use a strong and long password, so even if malware can read my KeepassXC file, it won't be able to extract the passwords. I feel like Firefox is not as safe.

dlenski
·
1 hour ago
·
[ - ]

There are a large number of similar projects out there.

I implemented login credential extraction for both Chrom* and FF-based browsers in the somewhat shambolic but generally-useful `browser_cookie3` Python module last year:

https://github.com/borisbabic/browser_cookie3/compare/master...

java-man
·
2 hours ago
·
[ - ]

Firefox is using TripleDES??

jackjeff
·
49 minutes ago
·
[ - ]

It uses both AES and TripleDES

If you glance at the code there's a single "key encryption key" in the whole SQLITE file (in the 'metadata' table). That key is decrypted using AES with the PBKDF2 derived secret.

Then each password is in turn encrypted using TripleDES. The "data encryption key" for each these records is in turn encrypted using the aforementioned "key encryption key".

My suspicion is that the TripleDES format must be really old, and when they migrated the crypto layer to use AES they just re-encrypted the top layer (the "key encryption key" later) to use AES. It's much faster (and safer) to just re-encrypt all the TripleDES keys with the new AES than go and mess with "all" the records in the database. It's inelegant and lazy but you effectively get "AES level" of security without having to do all the work, so to speak…

https://github.com/Sohimaster/Firefox-Passwords-Decryptor/bl...

alexey-salmin
·
28 minutes ago
·
[ - ]

I don't know about the particular case of TripleDES+AES but I think in a general case you can't claim that A+B encryption is always at least as strong as B alone. The A part can result in e.g. first bytes of input being the same enabling a crib-type attack.

captn3m0
·
1 hour ago
·
[ - ]

The README is surely LLM slop.

dlenski
·
1 hour ago
·
[ - ]

What…?

TheChaplain
·
1 hour ago
·
[ - ]

https://en.wikipedia.org/wiki/Slop_(artificial_intelligence)

hulitu
·
1 hour ago
·
[ - ]

> Firefox is using TripleDES??

What's wrong with it ? /s

penguin359
·
1 hour ago
·
[ - ]

I would mostly say that it's just slow and AES is a much more modern and faster (partly due to hardware acceleration built into modern chips) that is already built info Firefox to support TLS anyways. There are some known attacks against 3DES now, but nothing that completely breaks it yet. And, since this is just for local storage, primarily, it shouldn't be as vulnerable as using 3DES for TLS channel encryption.

N-Krause
·
1 hour ago
·
[ - ]

Thanks, even tho the comment above signaled sarcasm, the explanation was helpful for me, as I really had no idea what 3DES means and why it could be problematic.

Dalewyn
·
1 hour ago
·
[ - ]

I shudder to think that even a simple Google query leading to a Wikipedia article was too much effort here...

https://en.wikipedia.org/wiki/Triple_DES

bbarnett
·
1 hour ago
·
[ - ]

Any "simple" Google query now means pages of nonsense answers, promoted sites, AI "help", before you even get to a cogent result.

Much better to just talk to others than use Google.

echoangle
·
51 minutes ago
·
[ - ]

When I google „TripleDES“, the first result is a box showing the Wikipedia article on Triple DES. Click on that and you’re done.

andrepd
·
49 minutes ago
·
[ - ]

Agree with the sentiment, but that's a Wikipedia link. Wikipedia is (as of yet) immune to LLM slop

Scoundreller
·
1 hour ago
·
[ - ]

Reddit, got it.

and Google and quora are in cahoots, right?