Re: Password management

[Robert Relyea]

Bagus Mahawan wrote: > I'm really new to Mozilla (and the security issues), so please bear with me. > > I found that mozilla-the-browser has a password manager (called wallet ?), > which stores user's passwords. I'm just wondering where (in which file) the > passwords being saved, and how they being encrypted before saved in a file. > I found that there are key3.db and cert7db in ~/.mozilla. Are these files > where the passwords being stored ? If so, by reading the mozilla source > (such as those in mozilla/security/{nss|psm}), is it possible to decipher > (if this is the correct word) passwords of anyone else stored in those files > ? > Since Mozilla is an open source, so that everyone can have the source and > see how the password is encrypted, I'm afraid that everyone can decrypt any > password of anyone else. I believe the passwords are stored in the prefs or registry somewhere. How they are encrypted depends on your prefs settings. If you don't client 'encrypt username/passwords', then the passwords are simply obscured, not encrypted. If you do click 'encrypt username/passwords' then the usernames and passwordsa are encrypted by a fixed triple-DES key stored in key3.db. That key itself is encrypted by a PBE (Password based encryption) key which is generated by your 'Security database password'. > To tell the truth, we are planning to use Mozilla as a browser for our > product (a PDA). So, we are concerned if anyone is able to read our > customer's passwords stored in key3.db / cert7.db (if I'm correct). The security of the keys stored in key3.db is based on the security of the password you choose for that database. The stronger the password, The better the security. The most successful attacks against the key3.db art usually dictionary attacks, so choosing passwords with mixed letters, number, case, and are fairly long can make attacking the key3.db much more difficult. bob > Please point me some documents (if any) explaining of how mozilla manage > key3.db and cert7.db, and how the passwords being managed. > > Thank you in advance. > > > > Regards, > > Bagus