After testing FirePasswordViewer (http://www.portablefreeware.com/index.php?id=1794) I became interested in finding out if it was in fact possible to crack Firefox passwords. The author of FirePassworViewer also created a tool for doing just this: FireMaster (http://securityxploded.com/firemaster.php). I'm fairly sure its portable but its command line.
Based on FireMaster's estimates, I was pleased to find that a non-English password between 8 and 9 characters (and only checking passwords of these lengths) still had 1.7 trillion combinations and would take about half a year on a regular desktop computer to check them all. Note however that its possible for a computer to just get lucky and come across the password earlier in the test and it is in fact very unlikely it would take the full 191 days.
What was especially interesting from this whole test was that Firefox is clearly superior in terms of security. Unless you're very careful about controlling physical access to your machine, paranoid types should be aware that no Google applications should be trusted (GooglePasswordDecryptor http://www.portablefreeware.com/?id=1771 also by the same author) unless used through Firefox with a master password enabled. If you're required to use a Google application for your work, its important to use an independent account with an independent password. There is one exception: some applications have a "save password" option that if you just don't use, you're fine.
Edit1: I was really shocked and surprised that all you have to do is log into gmail.com on IE 7 to leave your password behind. Login, log out, close the browser, your password is still there. Yikes.
Edit2: Mozilla put out a great technique for choosing hard passwords.
Firefox Password Recovery / Audit
Re: Firefox Password Recovery / Audit
I just tested GooglePasswordDecryptor:webfork wrote:What was especially interesting from this whole test was that Firefox is clearly superior in terms of security.
Chromium 7.0.529.0 (59863) with Gmail and Reader both running.
Gmail Notifier with password NOT saved.
It did not find any stored passwords.
Re: Firefox Password Recovery / Audit
Thanks Ruby.
More test cases:
More test cases:
- Google Calendar Sync - none found
- SRWare Iron (portable) - none found
- SRWare Iron (installed) - none found
Re: Firefox Password Recovery / Audit
Just out of curiosity, I exited Gmail Notifier and logged back in, this time with 'Remember my password' ticked.
GooglePasswordDecryptor indeed found the Username and Password.
I then exited Gmail Notifier and logged back in, this time with 'Remember my password' unticked.
GooglePasswordDecryptor once again did not find any stored passwords.
So to quote webfork:
Edit: It should be noted that I'm using the original Gmail Notifier:
GooglePasswordDecryptor indeed found the Username and Password.
I then exited Gmail Notifier and logged back in, this time with 'Remember my password' unticked.
GooglePasswordDecryptor once again did not find any stored passwords.
So to quote webfork:
This seems to be true; at least in this case.There is one exception: some applications have a "save password" option that if you just don't use, you're fine.
Edit: It should be noted that I'm using the original Gmail Notifier:
Code: Select all
Google
Gmail Notifier v1.0.25.0
Copyright © 2004 Google Inc.
All Rights Reserved