Previous entries
Next entries

March 7th, 2006

How to Reveal All Your Passwords in Firefox in Under a Minute


By Alice Hill
RealTechNews

Firefox is known for being faster and more secure than Microsoft’s Internet Exploroer. It’s my browser of choice and refreshing to see the long-dormant browser wars spring to life again. But did you know that a child of 7 could reveal all your passwords with just a few mouse clicks?

Simply go to Tools -> Options -> Privacy and click on the VIEW SAVED PASSWORS button. Then choose Show Passwords. Firefox does you the favor of asking if you REALLY want to show the passwords. Source: Thetechsticle

We Say: Yikes! I just saw the list of my passwords on my laptop I forgot to lock down. Set the MASTER PASSWORD and always use a screensaver login to keep prying eyes and hands off your system. Or better yet, don’t save your passwords.

Share and Enjoy:These icons link to social bookmarking sites where readers can share and discover new web pages.
  • del.icio.us
  • digg
  • Fark
  • NewsVine
  • Reddit
  • YahooMyWeb
You can leave a comment, or trackback from your own site. RSS 2.0

29 comments to "How to Reveal All Your Passwords in Firefox in Under a Minute"

  1. Matthew says:

    This is worse than saving your passwords in the first place how? If your passwords are stored, a person could walk up to your unlocked computer and access your private information anyway.

    FYI, almost all major browsers store these passwords in plaintext.

    March 7th, 2006 at 8:41 am

  2. robotrock says:

    Am I the only one who uses a master password for their browser? Isn’t that the whole point?

    March 7th, 2006 at 8:48 am

  3. Alice says:

    People forget. And a lot of people just don’t know.

    March 7th, 2006 at 8:50 am

  4. aea says:

    People are stupid and shouldn’t be allowed on the internet. In the same vein, this is a really weak article.

    March 7th, 2006 at 9:26 am

  5. Ravilyn Sanders says:

    If some one has access to your keyboard, they might as well
    plug in a thumbdrive and steal 1 GB worth of files. No software
    can protect you if a malicious person has physical access to your machine.

    March 7th, 2006 at 10:05 am

  6. David Johnston says:

    This is a lot worse than someone being able to use the saved passwords to visit those sites because a lot of people use the same passwords for more than one site (and even in offline things and other programs) so seeing what some of your passwords are could help a person gain access to other things that require your password.

    March 7th, 2006 at 10:35 am

  7. RealTechNews says:

    I work for FireFox.

    So I am really getting a kick out of most of these replies.

    Some of you guys are very good at making it sound like you know what you are talking about.

    But trust me…. You don’t.

    I think you just want to make yourself sound smart, when in reality you don’t know what you are talking about.

    This is how bad info gets passed around.

    If you dont know about the topic….Don’t make yourself sound like you do.

    ‘Cuz some Farkers belive anything they hear.

    March 7th, 2006 at 11:47 am

  8. RealTechSkews says:

    Ah, classic internet response.

    ‘I’m an expert, and you aren’t. You’re so wrong that I won’t even bother describing why.’

    March 7th, 2006 at 11:51 am

  9. Nick says:

    Separate response copy-and-pasted from another Fark article….

    I work for the so-called Monmouth Police Department.

    So I am really getting a kick out of most of these replies.

    Some of you guys are very good at making it sound like you know what you are talking about.

    But trust me…. You don’t.

    I think you just want to make yourself sound smart, when in reality you dont know what you are talking about.

    This is how bad info gets passed around.

    If you dont know about the topic….Dont make yourself sound like you do.

    Cuz some Farkers belive anything they hear.

    This guy’s a real winner. And lazy.

    March 7th, 2006 at 12:21 pm

  10. MissingFrame says:

    This is the same kind of scary as any 7 year old child being able to make a dangerous torch from a lighter and a can of hairspray. You need this kind of scare to remind people what dangers there are. This is a good thing, and I hope they don’t change it.

    I suppose they could hide it, but that would be about as useful as putting a fake lock on your front door.

    March 7th, 2006 at 12:25 pm

  11. Bill Blotto says:

    I just smashed my computer with a hammer.

    March 7th, 2006 at 1:11 pm

  12. David Johnston says:

    This is actually worse than you think were it to be exploited in a fairly easy and straightforward way. You don’t even need to open up Firefox to steal the passwords. All you need is signons.txt and key3.db from the user’s profile folder. This could easily be obtained by hackers and malware creators (or anyone who has physical access to the computer). After you have these files, you just have to copy them into any Firefox profile and fire it up. Then you can go through the simple steps listed above, and see that person’s passwords.

    Even if you were to set a master password, you’re only marginally safer if someone has read/write access to the files on the computer. The master password can easily be reset through a bit of trickery.

    March 7th, 2006 at 1:13 pm

  13. Tarun says:

    yeah, i totally agree … this firefox dude is a gas bag … dude, firefox is a great browser, I had seen this too but never really commented on it … yeah, it’s helped me once the trouble of a forgotten password, but i really would’nt wanna have some guy look at the passwords to my mails, specially not my wife … could get me a divorce in a sec ;D … just kidding …

    but no doubt, if firefox had a patch to remove this feature, i’m in for it !

    March 7th, 2006 at 1:15 pm

  14. rich says:

    One does not “work for FireFox”, just like one does not “work for iTunes”. If he *did* work for the Mozilla Foundation he’d get the name right!

    March 7th, 2006 at 1:37 pm

  15. Ordius says:

    Guys, calm down. The “I work for.. ” cliché is just that, a cliché. It originated on FARK.com and was designed to be troll-bait.

    March 7th, 2006 at 2:29 pm

  16. shaver says:

    Resetting the master password might be relatively easy, but doing so doesn’t expose the saved passwords, so there’s not much point in an attacker doing so other than as mischief. You can see http://djst.org/blog/2005/09/26/master-password-security/ for more information on this, if you’d like.

    This isn’t just a matter of policy in the password manager, it’s a function of how the data is stored: the key database is encrypted with the master password, and you need that master password to decrypt it. You have to break 3DES to break the encryption on a a password database with a master password set, either by brute force or by guessing the password the user selected. (This also means that if you forget your master password, nobody can help you get it back without similar feats of encryption-breaking. Perhaps unfortunate, but a relatively small cost to pay for the security that the system provides.)

    Mike

    March 7th, 2006 at 2:31 pm

  17. dirk says:

    This is a really lame article. It’s not like it’s a bug or some hidden backdoor. You can protect them all with a master password, which is much better than IE, which IIRC has no ability to set a master pass. Plus, I can remember several times where I’ve needed to access the saved password in order to use it on another computer for the same site. *yawn*

    March 7th, 2006 at 5:31 pm

  18. martinelli says:

    If you’re going to save passwords that are for sensitive stuff (not for your usual teen angst blog) then use something like Roboform that stores it encrypted and external to the web browser. I never have trusted ANY web browser to save and keep passwords. Too many bugs and exploits.

    Also another thought, spyware is getting smarter, it is starting to wait for you to log in before doing it’s dirty work. Why waste your time cracking it or stealing it when you have a ready, dumb human behind the keyboard to enter it for you. Passwords after all, aren’t what you’re after, it’s the goodies in the bank account.

    March 7th, 2006 at 6:37 pm

  19. anon says:

    Is it just me or does Firefox give you a warning when it asks if you want to save your password? Something about how the information can be easily read, and are you sure you want to do it?

    Just to be safe, I think we should stop using computers. They spread the bird flu, you know.

    March 8th, 2006 at 12:09 am

  20. Smileynh says:

    Clear Private Data on exit.

    No PW file, no master PW.

    Problem solved.

    March 8th, 2006 at 3:14 am

  21. MT says:

    Why are you spreading these Myths? IE is faster than Firefox.

    “Firefox is known for being faster and more secure than Microsoft’s Internet Explorer”

    http://www.firefoxmyths.com

    March 8th, 2006 at 6:24 am

  22. jb says:

    I love flames — they shed so much heat with so little light.

    Any browser that saves passwords stores them somewhere. If the browser can retrieve the passwords, so can you.

    March 8th, 2006 at 8:30 am

  23. Nico says:

    I think a lot of people kinda miss the point. Isn’t the OS supposed to isolate the different user’s data in a secure way? Surely you do not let your children use your computer with your logon!

    I suppose you also need an OS that can actually isolate individual users data. Windows has come a long way, but in the end Linux/Unix (IMHO) is still better at these privacy issues - only problem is that some Distro’s still allow each user to ave READ access to other user’s home directory.

    Once you have secured your OS, it should be perfectly safe to store your passwords in the way that Firefox saves them.

    What Firefox *could* do is inform users better about the various security issues and options, say during install time. Not that we read it - but for what it’s worth.

    Just my 2c

    March 8th, 2006 at 9:51 pm

  24. Robert K. Tompsett says:

    Personally, I don’t have a need for the Master Pass word. I tryed it and it may be good for some, but as I am the only person that accesses my computer(my wife has her own with Firefox),I chose not to use a Master. My computer is protected with a password at Boot up. Sometimes there is such a thing as “Over-Kill”.

    June 3rd, 2006 at 4:13 pm

  25. aksn1p3r says:

    I have found a javascript snippet that really works wonders for me on Firefox.

    Check my post out… http://aksn1p3r.blogspot.com/2007/07/firefox-asterisk-revealer.html

    September 21st, 2007 at 12:52 am

  26. aksn1p3r says:

    … forgot to add that I don’t work for anyone, just a normal blogger trying to find the author of the script above but stumbled onto this uninformative post.

    September 21st, 2007 at 12:57 am

  27. aksn1p3r says:

    Forget master password LOL!

    http://aksn1p3r.blogspot.com/2007/11/firemaster-firefox-master-password.html

    December 10th, 2007 at 12:22 am

  28. Vasyu says:

    DWZUYy Vasyu testit vasyu.net

    August 8th, 2008 at 9:52 am

  29. bhushan says:

    At last i think no expert can reveal the password

    but one thing left is that you can build your own website or simply web page and ask for password and email.
    ┌───────┐
    email: └───────┘

    ┌───────┐
    password: └───────┘

    submit: ██████████

    In the password submit box, choose the font which would not show you such as tunga, etc with the help of style

    As after the person submit the form, we can simply drag the code and paste to the text editor and view with any other font.

    I like this web site very much

    October 8th, 2008 at 8:17 pm

Leave a comment