Tutorial Thursday
Two files are needed from your Firefox profile in order for someone to easily retrieve your passwords: key3.db and signons.txt. If someone has those two files they will be able to decrypt all of your passwords and view them without any hassle.
To help get around this (and hopefully deter the theft of my passwords) I decided to alter the name of my signons.txt file so that it isn’t named what someone would expect it to be:
- If you want your existing list of usernames/passwords transferred over to the new filename you first need to locate your profile folder which is located inside of the following folders:
Windows 2000, XP:
Documents and Settings\<UserName>\Application Data\Mozilla\FirefoxWindows NT:
WINNT\Profiles\<UserName>\Application Data\Mozilla\FirefoxWindows 98, ME:
Windows\Application Data\Mozilla\FirefoxMac OS X:
~/Library/Application Support/FirefoxLinux and Unix systems:
~/.mozilla/firefox -
Once you have navigated to your profile folder locate the file named signons.txt and rename it to something else. I renamed mine to bookmarksbak.txt to make it look like a backup of my bookmarks.
-
Run Firefox and type about:config into the address bar.
-
Find the value named signon.SignonFileName and double-click on it to change the value.
-
Change the name to whatever value you renamed signons.txt to in Step 2. I changed mine to bookmarksbak.txt. Press OK when you are done.
-
Restart Firefox and you will now be using your new password file.
I understand that this is by no means a big security measure but if I let someone use my computer real quick I don’t want them to grab those two files. Someone could easily still figure it out by looking at my configuration file for Firefox but that would take some additional time. I guess this gives me a little more peace of mind. 
Would not it be easier to just have made Masterpassword thing enabled on Firefox. This would just be a useless exercise if at all anything
Yes, you are right. However, most people that I know do not use a master password. That means it would be pretty easy for someone to create a virus that would send the two necessary files to someone. I just do this as an additional safety precaution.
Yeah right just because people will not use a lock…you ask them to change the position of their safes from north side of house to south side
I don’t know for sure what type of encryption is used for the Firefox profile, but I doubt they would use anything ‘easy’ to decrypt. There are many great encryption schemes that are not very performance intensive that offer great encryption capabilities.
Ryan’s idea is a good one, anything to make it harder. Mr. Minni, your analogy is not accurate. It would be like telling someone WHO KNOWS WHERE THE SAFE IS LOCATED IN EVERY HOUSE to move the safe somewhere UNKNOWN in the house. Not everyone will move it to the same place and it makes it that much harder to find.
I agree with minni, just use the master password!
The analogy is more like:
telling people to move their safe to a non-standard location and the updating the map to the safe (the config) displayed on their front door.
Just lock the safe!
prefs.js anyone? Firefox records the edited/non-default preferences in there. So if someone wanted to write an automated program, it would first look for the signons.txt then it’d look in prefs.js if it couldn’t find it. Simple, done.