How To Recover Your Firefox Master Password
If you’re using Firefox’s built-in password management, you should also be using its master password feature to protect your saved passwords from prying eyes. But what happens if you lose your master password?
Since the master password prevents anyone from accessing your saved passwords, you’re out of luck if you lose your master password—that is, you can’t access any of your saved credentials without it.
That’s where the free, open source tool FireMaster comes in. FireMaster is command line tool designed specifically to recover your master password from Firefox. Here’s how to use it:
- Download FireMaster and extract it to a folder on your desktop.
- Open a command prompt. (Shortcut: Hit Win+R, type cmd, then hit Enter.)
- At the command prompt, change the FireMaster folder to your active directory. The quickest way to do this is to type cd , then drag and drop the FireMaster folder from your Desktop onto the command prompt—which will automatically fill in the path to that folder. Then just hit Enter.
- Construct your FireMaster crack command. FireMaster supports a lot of different options, but you can speed up the process if you can narrow down a few points to customise your password cracking. For example, if you know you’ve only used alphabet characters (a through z), adding the following to your command can speed up a brute force attack significantly:
-c “abcdefghijklmnopqrstuvwxyz”
For the purpose of testing and providing an example, I wanted to see how long it would take for FireMaster to crack a password containing only letters that I knew was six characters long. The resulting command looks like this:
FireMaster.exe -b -q -l 6 -c “abcdefghijklmnopqrstuvwxyz” -p “??????” %appdata%MozillaFirefoxProfiles1sq2zzh2.default
As you can see, I’m telling FireMaster to look try a brute force crack on an 8-character master password using only the letters a through z. (You should read through the usage information to get a better idea of what options you’ve got for customising the process to what you know about your password to speed things up.)
In the last part of the command, I’m pointing FireMaster to my Firefox profile folder, where the key3.db file exists (this is the file that contains the encrypted password information). The last folder in that path will differ for you, but everything up to that folder (i.e., %appdata%MozillaFirefoxProfiles will get you most of the way there. (If you only have one Firefox profile, you should just see one folder inside Profiles; use that folder.)
- After you’ve constructed your command, just hit Enter to get cracking. Using the command constructed above, FireMaster took roughly 23 minutes to crack my Firefox password. If I didn’t know how long the password was, it would take significantly longer (you can offer a minimum and maximum password size to help narrow things down a little further). That said, it clearly wasn’t all that difficult to crack my password given all I knew about it. It gets much harder the more secure your password is (think unusual characters and long passwords).
Every time we post something about, say, how to crack a Windows password, we have to address the privacy issue. Password cracking tools like FireMaster can, like most things, be used for both good and evil. If you’ve forgotten your master password and you’re desperate to get the keys back to Firefox, it can be extremely useful. If you just like testing how secure your current password is, it’s a handy tool. (I always love testing my passwords against these sorts of things.) It would also, obviously, do the trick if you’re trying to steal someone else’s information. Don’t use it for that, jerk.
FireMaster is a free, open-source download. It works on Windows, but it can crack the master password from any Firefox installation—you just need to copy the key3.db file to a folder on a Windows computer and point FireMaster at that folder. If you give it a try, let’s hear how crackable your master password is in the comments.
FireMaster [via gHacks]
- Next Post: The Father-Son Workspace »
- « Previous Post: $6 IKEA Coat Rack Offers Solid Cable Management
Comments (AU Comments | US Comments)
Lol. What happens if you forget the one password used to manage all your passwords so you don't have to worry about forgetting them?
If you can't remember one password, you don't deserve to be online.
@AlBme: Er, only if the fool didn't establish a Master Password for their Thunderbird account(s). As this is a discussion of Master Password Cracking, that's sorta required before the comment is really relevant, no?
gyffes
@jkrell: I have 4 computers in use. On two of them, I have 3-5 virtualized systems. That is a lot of distinct FF master passwords to carry in my head. Yes, each has subtle variations, but between those and my Thunderbird password(s) and the disparate machine logins.. even with Xmarks syncing, my brain rapidly overloads.
ESPECIALLY as I've updated my passwords to far more effective 12-character ones.
gyffes
@(Starman) AnalysisDialysis:
If it didnt say Mac or Linux, i always take it up as Windows ! (I use opensuse, btw)
mawin
You should probably say that this is "Windows only" at the beginning.
(Starman) AnalysisDialysis
Note for windows vista users: It's not possible to drag and drop onto the command prompt in vista, so you'll have to type the folder path in manually. This feature has, thankfully, been reinstated in windows 7.
james47
hmm... with 8 characters, alphanumeric, with capitals (i.e. a minimally adequate password):
"Attempting password = abcdmCwd
Completed password count = 2000000 , still remaining = 221919449578090
Remaining Time = 26969d 09h 42m -08s
Brutecrack speed = 95238 cracks/sec"
I think I'll go make some tea...
corneliuscrab
@jeremiah89: I use www.passpack.com
You can upload your passwords there, and they'll be accessible anywhere with an internet connection.
And yes, it certainly has it's security risks. I use it for everything but banking info.
I've been trying lately to just remember all my passwords, and changing them once in a while to help that effort. Because I can have them saved on my laptop all I want, but if I don't have my laptop at school, and have to use the computers there, chances are there's at least a few I don't remember at all, so now I'm screwed.
jeremiah89
@ADiSH: With all due respect, Adam's example is bullshit. His password short and weak.
From the article, we see Adam's computer could crank out 158,467 password tries a second. The handy calculator at [lastbit.com] gives his pathetic password a maximum of 33 minutes to live.
A good 8 character password with a mix of upper/lower case, numbers, and symbols would take him 183 YEARS on a single computer. This is why good passwords are a must.
Botnets can worsen the odds, but you can still put your password out of reach with whole-disk-encryption and a separate key-file or 20 character password.
Note that none of this will hold up against a government or organized crime. You're still vulnerable to what's cheekily called "rubber hose cryptography" (apply rubber hose to user until password is recovered).
toaste
@Red_Flag: Or those who don't want to take the time to pick the lock.
MichaelTV
@ADiSH: It depends what your password is. If you use 9 characters, lower case and numbers, my quick math says the cracking time went from 26 minutes to 16 years.
sample032
say you only have a few minutes on a persons computer. could you copy the file and preform the crack elsewhere, just changing the directory?
ctferrarajr
No, the master password isn't useless.
In the example given in the post, the author was testing against a deliberately weak password (known to be 6 characters, only 26 possibilities for each character).
If you pick a better password, say 8 characters from upper and lower case letter, numbers, and symbols the time it takes for this brute-force cracking program to try every one grows enormously.
But this poses another problem though. If you've picked a really good password, then completely forgotten it, the method proposed in this post won't help you because it would take longer than your lifetime to brute-force your firefox master password.
FloydAristaeus
@iminfenix: Yes, because the first thing one should do when a security flaw is discovered (which requires the attacker to be physically present to capture the information) is to go out and upload the sensitive information to a third-party website (and possibly cross your fingers). So much more secure.
@Phoshi: Locks only keep out honest people.
Wow doesn't that... sorta... spoil the whole point? Anyway I shouldn't lose it, i got it saved in a .txt file to which i removed the .txt extension to keep it nice and secure, and have saved it somewhere where it won't get lost, even if my computer suddenly blows up.
Am I safe if I use special characters like ALT+**** (four letters from numberpad)?
David Gilling
@ADiSH: If your windows password is useless, your bank passwords are useless, and your LH password is useless, then I suppose this is useless too.
The lock on your front door can be broken, it's worthless. Keep the door, though, else your house'll get cold.
So basically the firefox password is useless?
wow this makes the whole totally useless.
@mseifullah: OS passwords should be fine, the actual symbol is meaningless, it's the string of numbers that's important.
@pcx339: Yeah, I've come across one or two places that won't let me in, in which case I simply have to live with a mere alphanumeric password :(
@Tiyumba:
You can if your laptop keyboard has a simulated Numpad. Typically on laptops this is accomplished on the right portion of the keyboard with the 'Fn' key. I frequently use it to type § when I'm writing tax memos.
Ciao
@LD: it's not really easy to crack though. This just uses brute force to determine your password, using a program specifically for firefox passwords. Given a complex enough sequence of characters, with good length, it will most likely not be cracked for a long time by someone without any knowledge of the password.
psychiccheese
Who forgets their master password anyway? I use FF every day -- as I assume most people do. So I ask again, how can you forget it?
The PCs I use are either desktops, which are not likely to go missing, or laptops encrypted using TrueCrypt. So I am not worried about this too much.
jkrell
@MC Double Def DP: My laptop doesn't have a numberpad. Can I still get those characters without using Character Map?
Tiyumba
@Phoshi: I used to do that until it turned out that those characters can cause strange effects on different systems. I had a password that included a character that cleared the line on HP-AUX systems so I could never rlogin from those machines.
Obviously not an issue if you're only ever on one machine, but a serious issue for those who do a lot of complicated stuff.
@EdgesRazor: Alt+456 and Alt+789 (both on numberpad).
My passwords are all randomly generated, (I don't even know them) using the complete character map alloted, using keypass. The keypass password itself is over 40 characters long + salt and changed bi-annual. Yeah memorizing is a pain, but it is one password to remember versus 70+.
So why should I use a master password if it can be cracked this easily?
Well, I want to try this, but I don't seem to have a key3.db file on my computer. I haven't used a master password before (*cough*), so I just set one up.
@Phoshi: How do you even get those characters without using Character Map?
EdgesRazor
Use lastpass.com and bypass Firefox manager all together.
iminfenix
For precisely this reason, I never save any password, regardless of its importance, or lack thereof.
For a big laugh, Thunderbird let's you reveal your hidden email passwords with just a click. I admit that it comes in handy when a customer wants to reinstall Thunderbird on another computer and they have forgotten their passwords. But, c'mon!
AlBme
@Phoshi: never thought about that. good call.
Even more important than adding the caveat that this shouldn't be used for evil is acknowledging that some people can and will use this for nefarious purposes. In other words, if someone has the ability to copy your profile folder, and your password is not complex enough (probably at least 12+ characters), they can access your master list of passwords.
Using a protected password database is still way better than using the same password at multiple sites, but just keep in mind the importance of a complex master password.
Ionitor
I think you meant to say that you were trying to crack a 6-character password based on the command you've provided: "-l 6" (i.e. maximum length of 6).
mayflyripper
Which is why I always use lovely characters like ╚(456) and §(789) in my passwords. Really annoys people watching what I type to see what my password is :3