Tuesday, December 29, 2009

How safe are your browser passwords?

Are you one of those people who stores all of your web logins in your browser? I have had lots of people tell me that it is unsafe to store your userids and passwords in your browser. But not being one to take other people’s word for it I decided to test it myself.


Firefox stores passwords on a per profile basis in a file called signons.sqlite, the userids and passwords stored in that file are base-64 encoded using a key stored in key3.db. Note that I said encoded, not encrypted. Encoded means that anyone with access to signons.sqlite and key3.db

can reverse the encoding to reveal the userids and passwords. There are several tools available to do just that. Below is a screenshot from Password Fox one of the so-called password recovery tools that decode Firefox passwords. As you can see it displays both the userid and the password.

If you have access to the browser you don’t even need one of the recovery tools. If you go into the Tools -> Options -> Security screen there is a “Saved Passwords” button which will gladly show you the userids and if you click the “Show Passwords” button, the passwords as well.

One of the other features of Firefox is the ability to add a master password. The master password is used to encrypt the userids and passwords in the password store. The master password must be provided when you start Firefox and is used to decode the userids and passwords as required. This means that without the master password that the “password recovery” tools like Password Fox can still tell what sites you have stored, but can’t view the userids or passwords.

There is another advantage of setting a master password. With a master password set when you click the “Saved Passwords” button you must enter the master password before the you can view the stored information.

Of course, there are a number of tools out there to “recover” the Firefox master password. Under the covers these tools are all brute force engines.

What this tells me is that if you use a high quality password, or better yet a high quality passphrase there shouldn’t be any real risk to storing your Internet userids and passwords in Firefox.

Internet Explorer

Ok, I am a Firefox user normally, so I haven’t spent a whole lot of time on IE. But here is a quick overview.

Unfortunately Internet Explorer suffers from the same problems. IE PassView is one of many tools that can display Internet Explorer Passwords.

Unfortunately as far as I know IE 8 does not appear to have a master password or provide any other way to encrypt the userids and passwords.


In a nutshell; I wouldn't store userids and passwords in Internet Explorer. I feel safe enough with storing userids and passwords in Firefox as long as a strong passphrase is used as a master password to encrypt them.

Of course there is still the issue of what the browsers do with passwords in memory. Perhaps that is research for another day, but for the moment I think I am prepared to take that risk.

1 comment:

Tim said...

Good topic, as this is one of those things which affects all computer users.

In Opera, the wand.dat file is encrypted, but recoverable if a master password is not used. In Chrome, it gets more interesting. There is encryption on Windows (tied to the system userid I believe); on Linux, there is none at all. There are other options (lastpass being one), but not as a built-in.