Prelude
I was contacted by quite a few people desperately trying to get this quick-hack of mine (described below) to work.
As it turns out, it's not that easy.
Fortunately, there's much better solution than mine -- a JavaScript password exporter by Edmund J. Mullen that works like charm. I was alerted about it by Mitch Silverstein (thanks!).
To use it simply follow instructions at the end of the page: download the html page with JavaScript (mirror here) to your harddrive and then open it. Mozilla will first ask whether you want to allow potentially UNSAFE operation, then it will ask for your master password and that's it.
Please note: You have to download the script to harddrive as it doesn't work online due to browser security.
That's all you need to export your passwords, no software installation needed. And now I can talk about my (now obsolete) take on the problem:
Update 2008-05-20: Firefox3 version by Josh O aka CR_TurboGuy
I got this bare-bone version that works in Firefox3 from Josh (original location). Thank you, Josh. :-)
Purpose
Ever needed to export saved passwords from Mozilla? Doing it via "show passwords" in "Password manager" can be quite daunting task if you have more than few accounts saved.
Other options?
It's quite simple with no master password -- you just need to write a simple parser for signons.txt format plus base64-decode the fields.
With master password set, it's a different story ...
The problem
With master password set the fields are stored as PKCS#11 (let's say encrypted ;) ). So we need to decrypt them first.
The solution
I hacked "sdrtest" utility which comes with Mozilla to non-interactively decrypt any input you throw at its stdin (provided you know correct password and your "key3.db" and "signon.txt" files are correct). Resulting binary is called "sdrdecode".
That isn't much, since you would have to copy&paste everything by hand. So I wrote script (in Ruby) to parse signons.txt, decrypt the input through "sdrtest" and display all hosts in a human-readable (or should I say geek-readable?) fashion.
So the whole things now looks simple:
wejn@ns ~/work/moz-export $ export MOZ_PASSWORD=kocicka wejn@ns ~/work/moz-export $ MH=~/.mozilla/firefox/9idmuan1.default/ wejn@ns ~/work/moz-export $ ./moz-decoder.rb $MH $MH/signons.txt Host: http://svetluska.wejn.org Type: form Fields: user_login: 547212047 user_password: 547212047 Host: 10.0.0.1:80 Type: http auth with realm: Viking Fields: HTTP-auth/username: root HTTP-auth/password: tajneheslo wejn@ns ~/work/moz-export $
So, if you just want to use it, see next section which covers installation.
Installation
You'll need quite a few things on your computer:
- running Linux
- Mozilla
- Ruby >= 1.8
- gcc
- make
- spec.rb (if you want to mess with documentation)
To install just unpack the package, type "make" and if all goes well, you can start using it.
If not, you have two options:
- fix it by yourself
- ask me _nicely_ to fix it
Usage
moz-decoder.rb (the thing you probably want to use)
It's quite simple:
Usage: ./moz-decoder.rb <profile_dir> <wallet_file> [password]
Profile directory is the directory where your Mozilla keeps your key3.db and other files. If you want (for safety reasons) copy the files elsewhere, you will need:
- "key3.db" -- Key database
- "cert8.db" -- Client Certificate database
- "secmod.db" -- security modules desc. (?)
- "signons.txt" (Firefox) or "*.s" (Mozilla) -- saved passwords
Then you can point "profile_dir" to dir where you put the backup. Wallet file is full path to the last file in previous list.
Password can be entered in two ways: via env. var "MOZ_PASSWORD" or via commandline (not recommended on shared boxes).
You will get human-readable dump on standard output. If you don't like the format, just edit end of the script -- changing the output format is braindead simple.
sdrdecode (the thing you probably don't want to use directly)
Usage: sdrdecode <profile_dir> [password]
Variable description is same with moz-decoder.
It expects base64 encoded strings on stdin and after you're done feeding it, you will get decrypted strings as output (one per line).
It doesn't process one-by-one since I was lazy while hacking the C source. (who would want to mess with C source after working couple of years in Ruby, anyway? :) )
Conclusion
If you have all prerequisities, it'll be quite simple to extract the saved passwords this way.
Links to other sites
- http://burntelectrons.org/moz/moz-passwords.html
- http://kb.mozillazine.org/Master_password