If you’re using Firefox’s built-in password management, you should also be using its master password feature to protect your saved passwords from prying eyes. But what happens if you lose your master password?
Since the master password prevents anyone from accessing your saved passwords, you’re out of luck if you lose your master password—that is, you can’t access any of your saved credentials without it.
That’s where the free, open source tool FireMaster comes in. FireMaster is a command line tool designed specifically to recover your master password from Firefox. Here’s how to use it…
- Download FireMaster and extract it to a folder on your desktop.
- Open a command prompt. (Shortcut: Hit Win+R, type cmd, then hit Enter.)
- At the command prompt, change the FireMaster folder to your active directory. The quickest way to do this is to type cd , then drag and drop the FireMaster folder from your Desktop onto the command prompt—which will automatically fill in the path to that folder. Then just hit Enter.
- Construct your FireMaster crack command. FireMaster supports a lot of different options, but you can speed up the process if you can narrow down a few points to customize your password cracking. For example, if you know you’ve only used alphabet characters (a through z), adding the following to your command can speed up a brute force attack significantly:
For the purpose of testing and providing an example, I wanted to see how long it would take for FireMaster to crack a password containing only letters (a through z) that I knew was exactly six characters long. The resulting command looks like this:
FireMaster.exe -b -q -l 6 -c "abcdefghijklmnopqrstuvwxyz" -p "??????" %appdata%\Mozilla\Firefox\Profiles\1sq2zzh2.default
As you can see, I’m telling FireMaster to try a brute force crack on a 6-character master password using only the letters a through z. (You should read through the usage information to get a better idea of what options you’ve got for customizing the process to what you know about your password to speed things up.)
In the last part of the command, I’m pointing FireMaster to my Firefox profile folder, where the key3.db file exists (this is the file that contains the encrypted password information). The last folder in that path will differ for you, but everything up to that folder (i.e., %appdata%\Mozilla\Firefox\Profiles\ will get you most of the way there. (If you only have one Firefox profile, you should just see one folder inside Profiles; use that folder.)
- After you’ve constructed your command, just hit Enter to get cracking. Using the command constructed above, FireMaster took roughly 23 minutes to crack my Firefox password. If I didn’t know how long the password was, it would take significantly longer (you can offer a minimum and maximum password size to help narrow things down a little further). That said, it clearly wasn’t all that difficult to crack my password given all I knew about it. It gets much harder the more secure your password is (think unusual characters and long passwords).
Every time we post something about how to crack a password, we have to address the privacy issue. Password cracking tools like FireMaster can, like most things, be used for both good and evil. If you’ve forgotten your master password and you’re desperate to get the keys back to Firefox, it can be extremely useful. If you just like testing how secure your current password is, it’s a handy tool. (I always love testing my passwords against these sorts of things.) It would also, obviously, do the trick if you’re trying to steal someone else’s information. Don’t use it for that, jerk.
FireMaster is a free, open-source download. It works on Windows, but it can crack the master password from any Firefox installation—you just need to copy the key3.db file to a folder on a Windows computer and point FireMaster at that folder. If you give it a try, let’s hear how crackable your master password is in the comments.
Related Posts: On this day...
- Shoes-on flight in sight - 2011
- The Student Loan Scheme - 2010
- Pittsburgh Council gets an earful on G-20 protesting rules - 2009
- The best explanation for how the internet works I've ever seen - 2009
- Comcast's moral obligation: If you cap it, at least help us count it - 2008
- This Post Not Made In Google Chrome - 2008