This site will have limited functionality while we undergo maintenance to improve your experience. If an article doesn't solve your issue and you want to ask a question, we have our support community waiting to help you at @FirefoxSupport on Twitter and/r/firefox on Reddit.

Search Support

Avoid support scams. We will never ask you to call or text a phone number or share personal information. Please report suspicious activity using the “Report Abuse” option.

Learn More

saving "saved logins"?

  • 17 replies
  • 2 have this problem
  • 1 view
  • Last reply by user700204

more options

I would like to archive (in a very protected area) a LIST of my "Saved Logins", with passwords. How do I export such a text list from Firefox "Privacy and Security"? Looks like I am unable to just copy it, and paste it. I understand that these saved logins can be sync'ed to other machines, but I want a list.

I would like to archive (in a very protected area) a LIST of my "Saved Logins", with passwords. How do I export such a text list from Firefox "Privacy and Security"? Looks like I am unable to just copy it, and paste it. I understand that these saved logins can be sync'ed to other machines, but I want a list.

Chosen solution

You can use code in the Browser Console to get such a list. That way you do not have to install the above mentioned ff-password-exporter

See these threads for more detail.

Read this answer in context 👍 1

All Replies (17)

more options

http://www.nirsoft.net/utils/passwordfox.html (Win) PasswordFox v1.58 - Extract the usernames/passwords stored in Firefox Copyright (c) 2008 - 2017 Nir Sofer

Note: Some anti-virus show false positive. ++++++++++++++++++++++++++++++++++ Easily export your passwords from Firefox. https://github.com/kspearrin/ff-password-exporter

Export your passwords from Firefox in a portable CSV or JSON format. It works on Windows, macOS, and Linux. +++++++++++++++++++++++++++++++++++ 3 Tools to Decrypt and Recover Passwords Saved in Firefox • Raymond CC https://www.raymond.cc/blog/how-to-find-hidden-passwords-in-firefox/ +++++++++++++++++++++++++++++++++++ https://www.ghacks.net/2018/07/18/how-to-export-firefox-passwords-in-firefox-57/ ++++++++++++++++++++++++++++++++++++ https://github.com/kspearrin/ff-password-exporter

more options

Thank you. In retrospect, it would be nice to do this locally, as in without added software. I'm not entirely comfortable handing all my passwords to a piece of software whose repute is not well understood. I guess I'm OK handing them to Mozilla.

A little strange that, at least on a Mac, I am unable to easily copy the list that is displayed in "Saved Logins".

more options

Chosen Solution

You can use code in the Browser Console to get such a list. That way you do not have to install the above mentioned ff-password-exporter

See these threads for more detail.

more options

That's kinda slick, running that JavaScript code in the Browser Console to export the passwords to a JSON file. It works! Thank you very much.

more options

You're welcome.

more options

Now, as it turns out, the relevant file is logins.json, which is easily accessible on a Mac at Library>ApplicationSupport>Firefox inside your profile folder. All your passwords are there, but they are encrypted! This is a responsible way to do it, because it means that your logins are protected by more than your OS login. If it weren't for that encryption, the Firefox Master Password would offer no added security. Firefox uses the Master Password to decrypt the passwords in this file.

more options

danll said

Firefox uses the Master Password to decrypt the passwords

That is not correct. The Master Password option adds an extra layer of encryption.

more options

Thank you. So if the Master Password adds an extra layer of encryption, what password is used for the first layer of encryption? Is that the user login password?

more options

That I don't know. And I don't think that kind of information should be made public.

more options

That is a default salt value that is generated when the key file (key4.db) is created. This salt value is stored in the key file where also the master password flag is stored when you use it. When you do not use a MP then the logins.json file can be decrypted with only the key file. If you use a MP then you need to supply the MP to be able to decrypt the passwords.


  • Bug 973759 - Master password should be protected with stronger cryptography

(please do not comment in bug reports
https://bugzilla.mozilla.org/page.cgi?id=etiquette.html
)

more options

Now, the k4.db file is in my Preference folder. So you're saying that, in principle, armed with a k4.db file, a MP-unprotected logins.json file can be decrypted. I gather there are open-source tools to do that.

That looks to mean that an MP-unprotected logins.json file and a k4.db file just requires some work to get passwords. But it can be done straightforwardly. So it's protected from lazy thieves. On the other hand, an MP-protected logins.json file cannot be decrypted at all without the MP.

Modified by user700204

more options

If you are logged in to the software security device (i.e. you have entered the MP during this session) then in principle you can access the passwords via code in the Browser Console (passwordmanager.getAllLogins({})). If you cancel a MP prompt or logout via the Devices Manager then you log out and need to re-enter the MP again.

Without a MP you can always access the passwords via specific code or with an external password utility that can handle the Firefox passwords files (logins.json and key4.db).

more options

Yes, that's how I got the password listing in the first place. By logging in with my MP and going to the Browser Console.

But you're saying without a MP you can access the passwords? That's hard to believe, and pretty insecure. If they're encrypted, and you don't have an encryption key, it ain't gonna be easy.

more options

The passwords are always encrypted when stored in logins.json, but the default encryption key is stored in the key file. That is why you always need a matching logins.json and key4.db pair. When a MP is used then only this MP can decrypt the encrypted usernames and passwords.

more options

OK, that makes sense. The default encryption key is stored in an insecure place, so decryption is possible. Passwords are casually secure, but not formally secure. But when MP-protected, passwords are absolutely secure.

Thank you all. It's one thing to be assured that Firefox passwords are secure. It's another thing to understand the different levels of security.

more options

Passwords protected via a MP are as secure as the MP is. There is not much real protection With a weak MP that can easily be found via brute force methods or a dictionary look up.

more options

That's certainly true, and a better way to say it than "absolutely protected." MP-protected passwords are as secure as the MP.