Where did you install Firefox from? Help Mozilla uncover 3rd party websites that offer problematic Firefox installation by taking part in our campaign. There will be swag, and you'll be featured in our blog if you manage to report at least 10 valid reports!

Search Support

Avoid support scams. We will never ask you to call or text a phone number or share personal information. Please report suspicious activity using the “Report Abuse” option.

Learn More

Èròjà atẹ̀lélànà yii ni a ti fi pamọ́ fọ́jọ́ pípẹ́. Jọ̀wọ́ béèrè ìbéèrè titun bí o bá nílò ìrànwọ́.

How does the password manager encrypt passwords?

more options

I'd like to know what encryption algothim is used for the password manager and the process behind it. Since I'm using this information for a paper I'd appreciate it if you could add a source as well if possible.

I'd like to know what encryption algothim is used for the password manager and the process behind it. Since I'm using this information for a paper I'd appreciate it if you could add a source as well if possible.

All Replies (2)

more options

This is mostly background information, it doesn't answer your question completely:

When you save a login in Firefox, it is stored in a file in your profile folder named logins.json. If you open that file in a text editor, you will see that the contents of the username and password fields are encrypted.

The encryption key is stored in the key4.db file in the same folder. If an attacker obtains both files, then the logins can be decrypted either by another installation of Firefox or by various readily available tools.

To protect the logins against this kind of attack, the user needs to discover the option to create a Primary Password. See: Use a Primary Password to protect stored logins and passwords. Assuming the attacker does not know the primary password, they would need to use brute force to decrypt the passwords.

Now we come to your question of the algorithm because it obviously makes a big difference in whether a brute force attack -- if the attacker doesn't have the associated key4.db file or doesn't know the Primary Password -- could succeed in a reasonable amount of time.

[cipher + hashing methods TBD]

You might also wonder about Firefox Sync. Firefox Sync uses the Firefox Account password to pre-encrypt logins before uploading them to the Sync cloud. This has been heavily tested and widely discussed, so it probably will be easier to find information about this aspect than the local file aspect. See: How Firefox Sync keeps your data safe even if TLS fails.

more options

I don't know whether either of these lists would be relevant, but perhaps you'll get more authoritative responses there:

https://groups.google.com/a/mozilla.org/g/dev-security-policy

https://groups.google.com/a/mozilla.org/g/dev-tech-crypto