snarfed.org

draw group stream of consciousness

change firefox's saved passwords

Wed, 01 Jan 2003 [comments (6)] [history] [rdf] [raw]

firefox.png

One of my favorite Firefox features is Saved Passwords, which saves usernames and passwords for sites that require a login. Combined with the Auto-Login user script, this easily saves me 20-30 minutes every day.

When you change your password on a site, Firefox almost always notices and changes its saved password too. Unfortunately, Firefox can't be expected to grok single-sign-on services like Passport and most corporate intranets. If you change your single-sign-on password, you're stuck with the old saved password for every single-sign-on site you use. You could delete their saved passwords, but then you'd have to re-enter your new password for every site. Boo.

When I hit this roadbump recently, I rolled up my sleeves and dove into the saved passwords file. Depending on the version of Firefox that created your profile, this will be signons.txt, signons2.txt, or [some_number].s in your Firefox profile directory. (Mine is ~/.mozilla/firefox/default.jre/56011215.s.)

The file should something like this:

#2c
.
http://www.yahoo.com

MDIEEPgAAAAAAAAAAAAAAAAAAAEwFAYIKoZIhvcNAwcEC...
*
MDoEEPgAAAAAAAAAAAAAAAAAAAEwFAYIKoZIhvcNAwcEC...
.
http://www.google.com
userid
MDIEEPgAAAAAAAAAAAAAAAAAAAEwFAYIKoZIhvcNAwcEC...
*pass
MEIEEPgAAAAAAAAAAAAAAAAAAAEwFAYIKoZIhvcNAwcEC...
.
http://www.microsoft.com
email
MEIEEPgAAAAAAAAAAAAAAAAAAAEwFAYIKoZIhvcNAwcEC...
*password
MDIEEPgAAAAAAAAAAAAAAAAAAAEwFAYIKoZIhvcNAwcEC...
...


For each site, it stores the names of the username and password fields and your (obfuscated) actual username and password. The obfuscation isn't based solely on the value, since sites with identical usernames and passwords will have different obfuscated values. However, from what I can tell, the differences aren't based on the site's URL, the field names, or anything else that matters. They're pure salt. So, you can replace any stored password with any another, and Firefox will de-obfuscate the replacement correctly.

This makes changing saved passwords en masse fairly easy. First, log into a site with your new password, and check that Firefox saved it. Open the saved password file, copy the stored password for that site, and paste it over the stored password for each site you want to update. Restart Firefox, and you should breeze past login pages just like normal!

If you have to do this often, it shouldn't be hard to whip up an awk or perl script to do it automatically. Even a simple Emacs regexp-replace would probably do the job.

See also:

comment bubble OpenID intelliot, Thu 04 Aug 2005

Awesome. This is exactly what I was looking for. Now I'll try it out :)

comment bubble OpenID Guest, Fri 05 May 2006

I don't believe this works if you have set the master password as it seems to then use a more complex form of encryption.

On the other hand… if you haven't set it, then somebody can just use a base64 decode function on your username and password to decrypt them.

- Gerry

comment bubble OpenID petroleo, Mon 08 May 2006

Google the best! http://snarfed.org/ more good www.minhasimagem.pop.com.br my site! :P Tranks!!

comment bubble OpenID Mark L, Tue 16 Jan 2007

Firefox needs to come out with a way to save the passwords to a file so that everyone can grab them and save them when reformatting their computer.
Sincerely,
Mark

comment bubble OpenID skylie, Fri 18 May 2007

This is what I needed. Good job!

comment bubble OpenID cwd, Mon 19 Nov 2007

If you're looking for a way to export all your passwords check out the Password Exporter extension:

https://addons.mozilla.org/en-US/firefox/addon/2848

Post a comment...



Simple HTML and wiki markup are allowed.