Saturday, November 24, 2007
FireMaster: The Firefox Master Password Recovery Tool
Are you really safe by thinking that a master password is the ultimate security? You can crack the master password of any Gecko browser using FireMaster: The Firefox Master Password Recovery Tool. I tested random alphabetic/numeric (a-z + 0-9) passwords using the bruteforce cracking method excluding special characters. A simple numeric password with 7 characters took me less than 5 minutes whilst an alpha-numeric password of 7 characters showed an ETA of more than 18 days whilst. For 9 alphanumeric characters, the ETA was >14 hours. For 10 alphanumeric characters, the ETA was >6 days.
The more characters you use, the longer it would take to bruteforce it... obviously. You could also use a combo that includes special characters in the password which would take exponentially longer to crack... maybe more than a year for a long-winded string.
If anyone gets hold of your Mozilla Firefox profile folder, you're finished! Your password list will ultimately be decrypted. Changing the master password thereafter, will make no difference as the dupe of the database file (which can easily be accessed/copied/emailed) will still be crackable and be used to reveal the password list.
A batch file can save alot of time to use this cracker. I created "run.bat" in the same folder as "firemaster.exe" and used the following code to point to my "key3.db" file and execute the cracking process with the chosen parameters.
Firemaster -q -b -n 7 -a "abcdefghijklmnopqrstuvwxyz" "D:\Documents and Settings\myprofile\Application Data\Mozilla\Firefox\Profiles\ex6f7mzf.default"
Do not attempt to email another user's files as you will be caught eventually, instead use a flashdrive ;)
Happy blogging and be safe.