Decryption tool for passwords in Firefox
Back in November 2023 I had the misfortune of a software engineer not doing his job correctly and he reinstalled the OS on my laptop instead of repairing some software that wasn't functioning correctly. Mercifully, I have had Microsoft support working on recovering my data, which has proved a tremendous task. 4 months and counting.
We have now finally managed to recover my passwords for my browsers, but they are encrypted. Microsoft Support have therefore asked if Mozilla do a decryption tool as they cannot open the file without it being decrypted first. If I was using Microsoft Edge, they would have been able to assist as that is a Microsoft product, but as Firefox is a third party application, they've asked for assistance. By the way, these are NOT scammers or hackers 'helping' me, but Microsoft support and I get everything emailed about our support etc.
Thanks in advance.
Wszystkie odpowiedzi (13)
Firefox stores the usernames and passwords encrypted in logins.json, the encryption key is stored in key4.db and you can only recover the logins via the Firefox Password Manager if you place a matching logins.json and key4.db in a profile folder.
Thanks for the reply. Microsoft have followed what you have put there and I am seeing what they do via a screen sharing mechanism, however, what are we to do next with the cvs file? Or is there another instruction that we have to follow. They've tried to do what it says on screen, but there is clearly a step missing because we cannot progress.
They have both the logins.json and the key4.db but what are the next steps that we have to follow in order to decrypt the information and bring it back?
Thanks in advance
Like I wrote above, easiest is to use the Firefox Password Manager to display the usernames and passwords. To do that you need to place logins.json and key4.db in the Firefox profile folder and start Firefox and open the Password Manager (about:logins).
- https://support.mozilla.org/en-US/kb/profiles-where-firefox-stores-user-data
- https://support.mozilla.org/en-US/kb/password-manager-remember-delete-edit-logins
You can possibly export the logins to CSV in the Password Manager.
You can also look at a Nirsoft utility.
Thank you for the reply. However, what we need to know is how do we create the CVS file for the data we have found in order that we can then use the decryption tool.
Would you kindly set out how we do that. Thanks.
I don't know if you have received my reply to your post on March 19, however, the Microsoft engineer cannot proceed with my full data recovery until he's given the correct instructions.
I view everything that they do via a secure screen sharing and following the instructions on where Firefox stores user data and the password manager in your earlier replies, it does not then explicitly say how to create the appropriate file once you've located the relevant encrypted files.
That's all that is missing for us to be able to then say we've recovered every last bit of lost data, so your assistance is greatly appreciated.
Thanks.
I addressed that in the second part in my reply. You can only export the logins to CSV in the Password Manager and that requires to place logins.json and the amtching key4.db in the profile folder.
This Nirsoft utility should also be able to decrypt the logins by providing access to logins.json and key4.db.
Thank you for clarifying that. You'll have to forgive me as I am not technically minded, so I am being steered on this by the Microsoft engineers.
I'll update the answer to them, but thanks once again.
Hi, I just wanted to send you a note that you will want to change any important passwords you have. Especially for banking sites & email accounts. I know you say you've been talking to Microsoft engineers but these people should NOT be trying to decrypt your passwords. They could've easily emailed you your Firefox password files & you could've followed Cor-el's decryption steps on your own computer privately.
I'm just advising you to trust NO ONE with your passwords. Not even "Microsoft engineers". When people know passwords can unlock access to money, Bitcoin, emails, social security numbers, credit card numbers on shopping sites like Paypal, Ebay, Amazon, Walmart, Target, etc. they can be turned to the dark side & use them to steal. If these passwords are to websites of no importance, then you can rest easy. But if not, I would strongly encourage you to monitor your important bank, shopping & email accounts closely. And to immediately change their passwords if you suspect they were stored in those Firefox password files.
Maybe I'm being overly cautious here but I don't feel like I am overreacting. So please think about which passwords were recovered & their security risk.
Hello,
Rest easy, because all of my sensitive data was stored elsewhere on my phone which I used Facial recognition software to login with, so none of the above which you mentioned is at risk.
From my point of view, I think Microsoft, and I can view everything they do, have gone that extra bit because of the damage caused by a Microsoft engineer to begin with. All of the passwords to my banking information, wasn't part of this. I've already changed my email passwords and as for the other issues you raise, that's not part of this.
If I felt confident enough to follow Cor-el's decryption notes, I'd have a go. Problem is, I don't want to mess it up.
Thanks for the concern, and be assured that Microsoft DON'T have access to any of my passwords.
cor-el said
This Nirsoft utility should also be able to decrypt the logins by providing access to logins.json and key4.db.Oh dear. I hope that that tool works by using some sort of brute-force approach, rather than it having the ability to bypass the encryption Firefox uses?
I would have to rethink trusting my passwords to the Firefox manager if anyone could circumvent the need to provide the primary password simply by downloading a free tool (or any tool).
The website doesn't appear to describe how it works, so does anyone know?
Again, not concerned about a brute-force password cracker, it is the ability to bypass the protection offered by the primary password that I would be worried about.
Zmodyfikowany przez TechHorse w dniu
Thanks for reporting back Darren! Very happy to hear you didn't have any important passwords on your laptop & you already changed the ones belonging to your email.
I suspected it was because you were worried recovering the passwords was too technical or risked screwing something up. So I totally understand that feeling. :)
Overall, just glad you got all your data recovered & weren't compromised in the process.
To TechHorse, you bring up a a fair point. But rest assured that with the Primary password set, that tool can not recover the passwords as a extra layer of encryption is added to it.
See this answer: https://support.mozilla.org/en-US/questions/1210914#answer-1093802 The passwords stored in logins.json are encrypted, but the encryption key is stored in key4.db (previously in key3.db) and without a Primary Password you merely need to place the two files in a Firefox profile folder to see the passwords in the Password Manager.
The usernames and passwords are encrypted with triple-DES stored in the key4.db file, but the Primary Password adds an extra layer.
The Nirsoft utility I mentioned above doesn't do any brute-force hacking, it works the same as the Firefox Password Manager and relies on the encryption key stored in key4.db to be able to decrypt the logins stored in logins.json. If both logins.json and key4.db as valid and key4.db is matching then I think that you would have recovered the logins by now.
The PP encrypts to actual encryption key stored in key4.db (logins.json is not changed), so even if you use the PP then having access to a key4.db from before the PP is sufficient to be able to decrypt the logins.
NoahSUMO and cor-el, thanks for the information. Just to check that I have this 100% correct.
The passwords are always saved encrypted in logins.json, and their key never changes.
The key to unlock their encryption is saved in key4.db.
If you do not use a primary password then the key is, in effect, saved in clear text in key4.db.
If you do use a primary password, then the key is independently encrypted by it?
So the primary password encrypts the key that encrypts the logins?
Assuming that that is correct, is it known how the PP encrypts the key?
Because the key itself protecting the logins with "triple-DES" protection isn't helpful if the key itself is being protected by the PP only weakly.
After all, if you are not using a PP at all then the triple-DES encryption provides no practical security benefit.