Every web browser comes with a password manager that lets you save the password that you used to login to a website so that there is no need to manually type the username and password each time you want to login. Other than convenience, a password manager also allows you to use a unique password for every different account which is so much safer. The only question we need to ask is how secure the password manager because a hacker gaining access to your password manager is probably as bad as you using the same password.
Since Firefox is one of the most used web browser today, let us take a look at how safe is the password manager by trying to reveal the password saved in Firefox and also the possibility of bypassing, resetting or cracking the master password.
There are some third party tools where it can automatically read and list all passwords saved in Firefox. We are listing 3 of such tools below that are free to use, while there are also other similar shareware that does pretty much the same thing without offering any special or unique features.
PasswordFox is a free and portable tool by Nirsoft where running it will automatically reveal all the saved passwords in Firefox together with additional information such as the user name and password field, the decrypted signons file, and even shows the password strength. PaswordFox also supports command line arguments that can extract all the login information and save it to an external text, HTML, XML, or CSV file. To load an external profile, click on the select folders icon and locate the profile folder path.
FirePasswordViewer is similar to PasswordFox, except it requires installation and the setup comes with an adware that can be avoided by clicking the Decline button. By default it automatically loads the default Firefox profile and to recover the password, you are required to click on the Start Recovery followed by the Show Password button. The recovered password can be exported to HTML, XML and Text format file.
3. Firefox Password Recovery Tool
Although Firefox Password Recovery Tool has not been updated for 3 years, but it still works with the latest Firefox. All you need to do is run the portable executable file and it will automatically decrypt the default Firefox signon database file and list all saved hosts, username and password. Just like the two previously mentioned tools, Firefox Password Recovery Tool can also load other profiles by clicking the “Load from Profile” button and locate the folder.
Although the Firefox password manager seems insecure because the password database file can be easily decrypted and stolen, fortunately there is an additional security option where you can specify a master password. When a master password is set, none of the Firefox password recovery tools mentioned above can decrypt the password without providing a valid master password. Any attempt to reveal the password from Firefox password manager itself will also require to enter the master password or else you only get to see the list of saved sites and usernames.
The Firefox master password feature is secure if you use a strong password because the only way to recover the master password is through brute force method by running it with millions of words to find a matching one. The brute force cracking method takes a bit of time and luck without any guarantee. If you are looking for a tool that is able to help you recover Firefox master password using brute force, you can give FireMasterCracker a try which is a GUI version of the command line application FireMaster developed by the same author as FirePasswordViewer. Simply specify the path to the profile folder that you want to crack and the dictionary file to use.
As a test, we set the master password as abc123 and FireMasterCracker instantly cracked it because the password was found at the top of provided dictionary file (passlist.txt).
As a final note, enabling the master password in Firefox and using a really strong one is good enough to protect all your saved password. If you don’t intend to use a master password, it is better not to use it by disabling the built-in password manager from the settings or you can use a better password manager such as LastPass together with YubiKey.