http://www.nirsoft.net/utils/passwordfox.html (Win) PasswordFox v1.58 - Extract the usernames/passwords stored in Firefox Copyright (c) 2008 - 2017 Nir Sofer

Note: Some anti-virus show false positive. ++++++++++++++++++++++++++++++++++ Easily export your passwords from Firefox. https://github.com/kspearrin/ff-password-exporter

Export your passwords from Firefox in a portable CSV or JSON format. It works on Windows, macOS, and Linux. +++++++++++++++++++++++++++++++++++ 3 Tools to Decrypt and Recover Passwords Saved in Firefox • Raymond CC https://www.raymond.cc/blog/how-to-find-hidden-passwords-in-firefox/ +++++++++++++++++++++++++++++++++++ https://www.ghacks.net/2018/07/18/how-to-export-firefox-passwords-in-firefox-57/ ++++++++++++++++++++++++++++++++++++ https://github.com/kspearrin/ff-password-exporter

Thank you. In retrospect, it would be nice to do this locally, as in without added software. I'm not entirely comfortable handing all my passwords to a piece of software whose repute is not well understood. I guess I'm OK handing them to Mozilla.

A little strange that, at least on a Mac, I am unable to easily copy the list that is displayed in "Saved Logins".

You can use code in the Browser Console to get such a list. That way you do not have to install the above mentioned ff-password-exporter

• https://www.ghacks.net/2018/07/18/how-to-export-firefox-passwords-in-firefox-57/

See these threads for more detail.

• /questions/1239821#answer-1171958 Will Saved Password Editor ever work again?
• /questions/1195733#answer-1053091 Is it possible to export the saved passwors to HTLM?

That's kinda slick, running that JavaScript code in the Browser Console to export the passwords to a JSON file. It works! Thank you very much.

You're welcome.

Now, as it turns out, the relevant file is logins.json, which is easily accessible on a Mac at Library>ApplicationSupport>Firefox inside your profile folder. All your passwords are there, but they are encrypted! This is a responsible way to do it, because it means that your logins are protected by more than your OS login. If it weren't for that encryption, the Firefox Master Password would offer no added security. Firefox uses the Master Password to decrypt the passwords in this file.

danll said

Firefox uses the Master Password to decrypt the passwords

That is not correct. The Master Password option adds an extra layer of encryption.

Thank you. So if the Master Password adds an extra layer of encryption, what password is used for the first layer of encryption? Is that the user login password?

That I don't know. And I don't think that kind of information should be made public.

That is a default salt value that is generated when the key file (key4.db) is created. This salt value is stored in the key file where also the master password flag is stored when you use it. When you do not use a MP then the logins.json file can be decrypted with only the key file. If you use a MP then you need to supply the MP to be able to decrypt the passwords.

• Bug 973759 - Master password should be protected with stronger cryptography

(please do not comment in bug reports
https://bugzilla.mozilla.org/page.cgi?id=etiquette.html)

Now, the k4.db file is in my Preference folder. So you're saying that, in principle, armed with a k4.db file, a MP-unprotected logins.json file can be decrypted. I gather there are open-source tools to do that.

That looks to mean that an MP-unprotected logins.json file and a k4.db file just requires some work to get passwords. But it can be done straightforwardly. So it's protected from lazy thieves. On the other hand, an MP-protected logins.json file cannot be decrypted at all without the MP.

If you are logged in to the software security device (i.e. you have entered the MP during this session) then in principle you can access the passwords via code in the Browser Console (passwordmanager.getAllLogins({})). If you cancel a MP prompt or logout via the Devices Manager then you log out and need to re-enter the MP again.

Without a MP you can always access the passwords via specific code or with an external password utility that can handle the Firefox passwords files (logins.json and key4.db).

Yes, that's how I got the password listing in the first place. By logging in with my MP and going to the Browser Console.

But you're saying without a MP you can access the passwords? That's hard to believe, and pretty insecure. If they're encrypted, and you don't have an encryption key, it ain't gonna be easy.

The passwords are always encrypted when stored in logins.json, but the default encryption key is stored in the key file. That is why you always need a matching logins.json and key4.db pair. When a MP is used then only this MP can decrypt the encrypted usernames and passwords.

OK, that makes sense. The default encryption key is stored in an insecure place, so decryption is possible. Passwords are casually secure, but not formally secure. But when MP-protected, passwords are absolutely secure.

Thank you all. It's one thing to be assured that Firefox passwords are secure. It's another thing to understand the different levels of security.

Passwords protected via a MP are as secure as the MP is. There is not much real protection With a weak MP that can easily be found via brute force methods or a dictionary look up.

• https://en.wikipedia.org/wiki/Password_strength

That's certainly true, and a better way to say it than "absolutely protected." MP-protected passwords are as secure as the MP.