I hear a lot of people that are whole heartedly against saving passwords in their browser. I would agree if these were not encrypted in any way, but by implementing a master password in Firefox, we can encrypt our saved passwords. Beware that any passwords saved before you set your master password are NOT encrypted and it is still possible for malicious code to steal your passwords through a web site.
Firemaster is a Windows only tool so I am going to load it up in my VMware and see how long it takes to crack my Firefox master password.
Extract the Firemaster.exe to a folder, like your desktop.
I am going to use the brute force method. If you like, run firemaster without options to see the syntax switches. The most important switches are the -n for number of characters and the -a to specify which characters to use when brute forcing. Now run FireMaster as so:
Since my Firefox master password has lower case letters, numbers, and symbols, I am entering all possibilities here. It is also 15 characters long. If I didn’t know what the password was, I would probably start with just lower case and less characters, since most people use all lower case and it would take less time with fewer possibilities.
It says that my password is going to take about 1,158,264 years to crack….OMG.
This is assuming 5000 cracks per second, and of course, this would all depend on my processor speed. I am sure in 10 years there will be much more sophisticated ways to crack passwords, but are you willing to wait that long just to crack my password? And hopefully I will be using some sort of retnal biometric security by that time.
Some other interesting numbers:
6 characters all alpha lower case: 1 hour 47 minutes 6 seconds
6 characters alpha-numeric lower case: 12 hours 26 minutes 20 seconds
6 characters alpha-numeric upper and lower case: 13 days 8 hours 43 minutes 48 seconds
6 characters alpha-numeric upper and lower case plus symbols: 32 days 16 hours 52 minutes 5 seconds
12 characters all alpha lower case: 22973637 days 17 hours
12 characters alpha-numeric lower case: 1128186032 days 22 hours 36 minutes 34 seconds
You get the point…
So the answer to the question, “How Secure are Firefox Saved Passwords?”:
It all depends on the length of your master password to how secure your Firefox passwords really are. Just like any password, your policy should be to use a combination of upper and lower case letters, numbers and symbols. Now, that is not to say that a vulnerability will pop up and websites could read your passwords through the internet after you have verified your master password. Extensions like Secure Login and Firekeeper can remedy that possibility.
Tags: Brute force, Crack, Firefox, Firemaster, Password, Security