Re: Password management

[Mitchell Stoltz]

The wallet data is not stored in key3.db or cert7.db, those files just store certificate information. I don't know the exact file those are stored in, but maybe Steve Morse can shed some light on this. I've cc'd him. The password file is not encrypted by default, but it is encrypted if the user chooses "Encrypt Sensitive Info" from the Password Manager menu. The data is then encrypted with a password supplied by the user. It should be difficult for anyone to decrypt this information, even with access to the Mozilla source code. In fact, the strongest encryption schemes are those which have been open source for some time. To get at a user's passwords, an attacker would need 1) access to the user's password file, and 2) the user's master encryption password. Without both of these things, there's no way to read those passwords. -Mitch > I found that mozilla-the-browser has a password manager (called wallet ?), > which stores user's passwords. I'm just wondering where (in which file) the > passwords being saved, and how they being encrypted before saved in a file. > I found that there are key3.db and cert7db in ~/.mozilla. Are these files > where the passwords being stored ? If so, by reading the mozilla source > (such as those in mozilla/security/{nss|psm}), is it possible to decipher > (if this is the correct word) passwords of anyone else stored in those files > ? > Since Mozilla is an open source, so that everyone can have the source and > see how the password is encrypted, I'm afraid that everyone can decrypt any > password of anyone else. > > To tell the truth, we are planning to use Mozilla as a browser for our > product (a PDA). So, we are concerned if anyone is able to read our > customer's passwords stored in key3.db / cert7.db (if I'm correct). > > Please point me some documents (if any) explaining of how mozilla manage > key3.db and cert7.db, and how the passwords being managed. > Thank you in advance. > > Regards, > Bagus