DEV Community

Higor Diego
Higor Diego

Posted on

Cracking Firefox Encryption and Rescuing Saved Passwords!


Who hasn’t taken advantage of that amazing browser feature to save time and avoid the stress of remembering passwords for various websites where we’re registered? With so many different profiles to manage nowadays, this convenience has become a real lifesaver!

However, it’s natural to have some doubts about the security of this process since we’re entrusting sensitive information to the hands of the browser. But don’t worry, together we’ll unravel how Firefox handles this crucial aspect.

In this article, we’ll dive deeper into how Firefox works and how it stores our passwords. Is this practice really secure? We’ll better understand how our data is treated and, in turn, feel more at ease using this browser convenience.

Finding the Storage Location

In this section, we’ll discover where the folder that stores Firefox data is located in your default profile. This location may vary depending on your platform. Check out the paths below:


Enter fullscreen mode Exit fullscreen mode

Mac OS:

~/Library/Application Support/Firefox
Enter fullscreen mode Exit fullscreen mode


Enter fullscreen mode Exit fullscreen mode

When running on your computer, remember to replace with your machine’s username. This information will be useful for the password recovery process, which we’ll explore in detail later.

Now, once inside the specific folder, we’ll list the contents to identify the important file for our action:

└─$ cd cwprco4r.default-esr && ls -lah 
-rw-r--r--  1 higor higor 2,5K jul 22 09:30 logins.json
Enter fullscreen mode Exit fullscreen mode

Above, we have the important file for our action. The rest of the files in this folder are not relevant to the purpose of this article.

By executing a read command like cat logins.json, we will get the following output:

  "nextId": 3,
  "logins": [
      "id": 1,
      "hostname": "chrome://FirefoxAccounts",
      "httpRealm": "Firefox Accounts credentials",
      "formSubmitURL": null,
      "usernameField": "",
      "passwordField": "",
      "encryptedUsername": "MEIEEPgAAAAAAAAAAAAAAAAAAAEwFAYJITKoZIhvcNabAwcE7x8cECOMFrk7xgPbEBBjqYBBzCDYxqHeHziM1jV/M7lzxfYpY3os=",
      "encryptedPassword": "MIIDdAQQ+AAAAAAAAAAAAAAAAAAAATAUBggqhkiG9w0gc2aae45DBwQISyY0ItSG+VQEgat1gNIkM7/xitAyu7BaD8YvkZ3GUfbfsUxGkTJyZwKFyQVjnwVlBgUmrC84lSycKkzdoeDsX2VFQoka90izrJ7gwxSlCbXX8DotPYjNGZEjIOKuODsxbXHEen7m/UIh0UqkKKtkQeU9OxG3vViGrPJgZs2kLpJtpX3YEVGbgHig6orJtZtjfkSfB2CTpaSsGDHJBsKwFt1wUYOp8NdQPndrRcTZ3kF9if93rDhfxlgkpePGYYl3NkgQIu6jJ76hOLYeEh0Mm7mCIHa/jiKwUHtU6xVxc3OMX0BY/E0jCeN6NMuxC44HgPhjkKqMGaKBNxp/SdMO7a2L3dPw0pndkKhx5XweylFU4KBcrRJSWzAPbHsRQ5gOg4umn6R+idKJpp3UbBovlte4fWOJyk+2hSLabKdHvOX82D5Hbg03ThOI62uXyVsAqmAxgLUsIAh9kRxA2MyfwnD5OVF4lBCQzEmPVTGfs8mi196WxYXJekC2Bn4ARH1rZlJo7c6bsGBcw5dRx5QqGmOrYYhSUr1+B9onLV+Ja1n+G8dNXGq3803+nSAcLZOBzq3YxB0+dJ/o4S9M+jNZChnDiJ3LF2JXIqKY5MnIw7sFrI0y1YTvEUWeVrGAGh3vDqBVOtlznx7G4VdX92nGjwuHDfH07QDXplVYbjthIvRN6Ykm+MLGoTY84kWuGkqpczeXtUQp3P5/JziUVCePdoaJhwU4JATpNXy25PNcgprW2SFQ4L/jCJ3L9JL9P+XRSZ3nVzDqm+xVLqWQVmda1fDWAAkmRmzPaDF+M5hXTM4NVJy8DbLrQislKsBWcw1GUCZNe0ja4019vXkUqV0LhAa7EnoidgoxBPVCUw0/37/2lAGURMdo5Q6dujWtku6fMhlsr7SVtVTaxnK9jZnkhqb2H8qhW4aoajHeym9EpKYKsqlraragGT8Cn7NmQs7BTicEQwvOYP+oUEFAcXYIX1yE/3zmQSH29QfkeobX1PcwaIRuct6hf8IG13TjOQe/K5k6UJep9XTEpUpfW7dWcipRLnXKXK+pSBwpj1WYHpYG7+qdSmf/85YiexedTWk5px/9DyH1RlqH7UT4Uern4ynEOBJcys9InNFGRiBhvQtvXclBanP",
      "guid": "{a2eb5150-685d-4615-a254-1c5dd58bee56}",
      "encType": 1,
      "timeCreated": 1689961688625,
      "timeLastUsed": 1689961688625,
      "timePasswordChanged": 1689961698732,
      "timesUsed": 1
      "id": 2,
      "hostname": "",
      "httpRealm": null,
      "formSubmitURL": "",
      "usernameField": "EmailAddress",
      "passwordField": "Password",
      "encryptedUsername": "MEIEEPgAAAAAAAAAAAAAAAAAAAEwFAYIKoZIhvcNAwcE7x8cECOMFrk7xgPbEBBjqYBBzCDYxqHeHziM1jV/M7lzxfYpY3os=",
      "encryptedPassword": "MFIEEPgAAAAAAAAAAAAAAAAAAAEwFAYIKoZIhvcNAwcvcrBCiECFZc/kfDKvcrBCinGLow37uiKmg7K83IUGntneBODTMeV1jMrg95p3sCQzSknnBdG2ef",
      "guid": "{f0459b50-b0fe-4512-a085-e94e72319579}",
      "encType": 1,
      "timeCreated": 1687392175539,
      "timeLastUsed": 1689971142811,
      "timePasswordChanged": 1687392175539,
      "timesUsed": 2
  "potentiallyVulnerablePasswords": [],
  "dismissedBreachAlertsByLoginGUID": {},
  "version": 3,
  "sync": {
    "lastSync": 1689961704.49,
    "syncID": "MDoEEPgAAoZIhvcNAwAAAAAAAAAAA03210x,mmmAAAAAoZIhvcNAwEwFAYIKoZIhvcNAwcECD42iieWPdOhBBAjVsIqtcbz7b/ttYPhb2D0ZI63"
Enter fullscreen mode Exit fullscreen mode

This file contains the information needed to recover the passwords saved in the browser.

Identification of Encryption and Security Library

To ensure security, the username and password are encrypted using a cryptographic standard called PKCS #11 (Public-Key Cryptography Standards #11). This standard defines a standard interface for accessing cryptographic devices, such as smart cards and USB tokens, making cryptographic operations secure and protecting sensitive information.

Firefox adopts this standard through the NSS library, which has different names depending on the operating system:


Enter fullscreen mode Exit fullscreen mode

Mac OS X El Capitan:

Enter fullscreen mode Exit fullscreen mode

Enter fullscreen mode Exit fullscreen mode

These libraries are essential for the password decryption process.

Decrypting the Passwords

Now, let’s move on to the decryption step! To do this, we need to follow these steps:

  • Clone the repository containing the code required for decryption:
git clone
Enter fullscreen mode Exit fullscreen mode
  • Run the code, providing the path to the folder containing the Firefox files:
python /home/higor/.mozilla/firefox/cwprco4r.default-esr
Enter fullscreen mode Exit fullscreen mode
  • The expected result will be the display of the saved passwords’ information:
Username: ''
Password: 'teste#123'
Enter fullscreen mode Exit fullscreen mode


Saving passwords in the browser can be extremely convenient, saving time and effort when accessing our accounts. However, it’s essential to be cautious and follow good security practices. Avoid using public computers to access important accounts and never share your passwords with others.

I hope this article has been useful and informative!

Keep following us for more content on technology, cybersecurity, and other interesting subjects.

Until next time!


Top comments (1)

overflow profile image

So i assume the guys at Mozzilla Firefox does not know about this....Yet