Generated by spec.rb at: Wed Jun 24 16:17:21 +0200 2009

Mozilla Firefox saved passwords recovery (export) utility

Table of contents

New solution (updated 2009-06-24)

I was contacted by quite a few people desperately trying to get this quick-hack of mine (described in latter sections) to work. As it turns out, it's not that easy; and it's not even FF3 compatible.

Fortunately, out of need I've created much better solution than this quick hack -- a Firefox3 compatible password exporter written as a HTML page.

To use it simply download the file to your harddrive, then open it in Firefox. Firefox will ask whether you want to allow potentially UNSAFE operation (accessing your password store), then it will ask for your master password and you'll be presented nice table with your passwords. Nothing else needed.

From that page you can even export all your passwords to textfile with single click and/or sort them by hostname, username, or password.

Btw, this solution is inspired by original JavaScript password exporter by Edmund J. Mullen and subsequent FF3 bare-bone mod by "Josh O aka CR_TurboGuy".

Old solution (kept for reference)

Purpose

Ever needed to export saved passwords from Mozilla? Doing it via "show passwords" in "Password manager" can be quite daunting task if you have more than few accounts saved.

Other options?

It's quite simple with no master password -- you just need to write a simple parser for signons.txt format plus base64-decode the fields.

With master password set, it's a different story ...

The problem

With master password set the fields are stored as PKCS#11 (let's say encrypted ;) ). So we need to decrypt them first.

The solution

I hacked "sdrtest" utility which comes with Mozilla to non-interactively decrypt any input you throw at its stdin (provided you know correct password and your "key3.db" and "signon.txt" files are correct). Resulting binary is called "sdrdecode".

That isn't much, since you would have to copy&paste everything by hand. So I wrote script (in Ruby) to parse signons.txt, decrypt the input through "sdrtest" and display all hosts in a human-readable (or should I say geek-readable?) fashion.

So the whole things now looks simple:

wejn@ns ~/work/moz-export $ export MOZ_PASSWORD=kocicka
wejn@ns ~/work/moz-export $ MH=~/.mozilla/firefox/9idmuan1.default/
wejn@ns ~/work/moz-export $ ./moz-decoder.rb $MH $MH/signons.txt
Host: http://svetluska.wejn.org
Type: form
Fields:
  user_login: 547212047
  user_password: 547212047

Host: 10.0.0.1:80
Type: http auth with realm: Viking
Fields:
  HTTP-auth/username: root
  HTTP-auth/password: tajneheslo

wejn@ns ~/work/moz-export $ 

So, if you just want to use it, see next section which covers installation.

Installation

You'll need quite a few things on your computer:

To install just unpack the package, type "make" and if all goes well, you can start using it.

If not, you have two options:

Usage

moz-decoder.rb (the thing you probably want to use)

It's quite simple:

Usage: ./moz-decoder.rb <profile_dir> <wallet_file> [password]

Profile directory is the directory where your Mozilla keeps your key3.db and other files. If you want (for safety reasons) copy the files elsewhere, you will need:

Then you can point "profile_dir" to dir where you put the backup. Wallet file is full path to the last file in previous list.

Password can be entered in two ways: via env. var "MOZ_PASSWORD" or via commandline (not recommended on shared boxes).

You will get human-readable dump on standard output. If you don't like the format, just edit end of the script -- changing the output format is braindead simple.

sdrdecode (the thing you probably don't want to use directly)

Usage: sdrdecode <profile_dir> [password]

Variable description is same with moz-decoder.

It expects base64 encoded strings on stdin and after you're done feeding it, you will get decrypted strings as output (one per line).

It doesn't process one-by-one since I was lazy while hacking the C source. (who would want to mess with C source after working couple of years in Ruby, anyway? :) )

Conclusion

If you have all prerequisities, it'll be quite simple to extract the saved passwords this way.

Links to other sites