{"id":2154,"date":"2011-12-04T16:40:50","date_gmt":"2011-12-04T11:10:50","guid":{"rendered":"https:\/\/www.qadit.com\/blog\/?p=2154"},"modified":"2011-12-28T16:59:53","modified_gmt":"2011-12-28T11:29:53","slug":"saved-passwords-in-browsers-are-they-secure-2","status":"publish","type":"post","link":"https:\/\/qadit.com\/blog\/saved-passwords-in-browsers-are-they-secure-2\/","title":{"rendered":"Saved passwords in browsers; Are they secure?"},"content":{"rendered":"<div>\n<p style=\"text-align: justify;\">Many famous browsers like Google chrome, FF (Firefox), etc provide the option to \u201cremember password \u201coption for its users to save the password.<!--more--><\/p>\n<\/div>\n<p style=\"text-align: justify;\"><strong><span style=\"color: #333333;\">Do you know where passwords are stored in browsers!!<\/span><\/strong><\/p>\n<p style=\"text-align: justify;\">Firefox stores passwords in two different files &#8211; key3.db (This file stores your key database for your passwords) and\u00a0signons.sqlite ( This file stores saved passwords. Both of these two files are located on the Firefox profile directory).<\/p>\n<p style=\"text-align: justify;\"><strong><span style=\"color: #333333;\">How can we secure it by using \u201cmaster password\u201d!!<\/span><\/strong><\/p>\n<p style=\"text-align: justify;\">Passwords used for login into the website are stored in \u2018signons.txt\u2019 text file which has Base 64 encoding which means there is no strong encryption. Anyone who is able access this text file can decode your password easily. Prominent tools like \u201cPasswordViewer\u201d can help in this purpose.<\/p>\n<p style=\"text-align: justify;\">The best option to secure password stored in browsers text file can be done by using master password. Here all saved passwords are encrypted by using the master password and stored on signons.txt and signons.sqlite. \u00a0Another tool such as <em>\u201cPassword Hasher\u201d<\/em> is a Firefox add-on that computes unique passwords using at least one master password. This means that every website will have a different password stored in their database while the user will be using the master password(s) to access those websites<\/p>\n<p style=\"text-align: justify;\"><span style=\"color: #333333;\"><strong>Thumb rules for setting strong master password!!<\/strong><\/span><\/p>\n<p style=\"text-align: justify;\">Before setting the master password, remember that security of saved password is directly related to strength of master password. Master key for the encryption algorithm is made from salt which is stored on key3.db and Master Password. Consider the following<\/p>\n<ol style=\"text-align: justify;\">\n<li> It should be easy to remember for\u00a0YOU\u00a0and hard to guess for\u00a0OTHERS.<\/li>\n<li> Mozilla (and most other companies such as Microsoft) suggest using at least 8 character with upper case, lower case, number and a special symbol like #, $ % etc,<\/li>\n<li> You can have a sentence or phrase which you can remember easily:\u201cItishardertocrackaprejudicethananatom\u201d( Almost impossible to crack)<\/li>\n<\/ol>\n<p style=\"text-align: justify;\"><span style=\"color: #333333;\"><strong>Is there possibility to recover\/hack \u201cmaster password\u201d?? Not impossible<\/strong><\/span><\/p>\n<p style=\"text-align: justify;\">General user perception was when we reset the master password, all saved passwords will vanish and it is not possible recover the master password. But it is possible, you need to just copy this key3.db file to different directory and specify the corresponding path to FireMaster. You can also copy this key3.db to any other high end machine for faster recovery operation.<\/p>\n<p style=\"text-align: justify;\">FireMaster generates passwords on the fly through various methods.\u00a0Then it computes the hash of the password using known algorithm.\u00a0Next this password hash is used to decrypt the encrypted data for known plain text (i.e.\u00a0&#8220;password-check&#8221;).\u00a0Now if the decrypted string matches with the known plain text (i.e. &#8220;password-check&#8221;) then the generated password is the master password.\u00a0After obtaining master passwords, the saved passwords in the signons.txt files can be decrypted<\/p>\n<p style=\"text-align: justify;\"><strong><span style=\"color: #333333;\">Conclusion<\/span><\/strong><\/p>\n<p><span style=\"text-align: justify;\">If you want save your password, then use master password to protect them. If you want to transfer your saved password on firefox, then copy singonsN.txt, signons.sqlite and key3.db to your Firefox profile directory. Strength of encryption is depend on the strength of the Master Password you choose<\/span><\/p>\n<p><span style=\"text-align: justify;\">If you forget your master password, you can get it back via FireMaster which means that hackers too can crack them. To prevent it, strengthen your physical and network security<\/span><\/p>\n<p style=\"text-align: justify;\">&nbsp;<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Many famous browsers like Google chrome, FF (Firefox), etc provide the option to \u201cremember password \u201coption for its users to save the password.<\/p>\n","protected":false},"author":18,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":false,"jetpack_social_options":{"image_generator_settings":{"template":"highway","enabled":false},"version":2}},"categories":[109],"tags":[],"class_list":["post-2154","post","type-post","status-publish","format-standard","hentry","category-website-security"],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"jetpack_shortlink":"https:\/\/wp.me\/p9AH7Q-yK","_links":{"self":[{"href":"https:\/\/qadit.com\/blog\/wp-json\/wp\/v2\/posts\/2154","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/qadit.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/qadit.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/qadit.com\/blog\/wp-json\/wp\/v2\/users\/18"}],"replies":[{"embeddable":true,"href":"https:\/\/qadit.com\/blog\/wp-json\/wp\/v2\/comments?post=2154"}],"version-history":[{"count":0,"href":"https:\/\/qadit.com\/blog\/wp-json\/wp\/v2\/posts\/2154\/revisions"}],"wp:attachment":[{"href":"https:\/\/qadit.com\/blog\/wp-json\/wp\/v2\/media?parent=2154"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/qadit.com\/blog\/wp-json\/wp\/v2\/categories?post=2154"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/qadit.com\/blog\/wp-json\/wp\/v2\/tags?post=2154"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}