Everything Mitch said is correct. Let me add a few comments of my own.
1. There are two separate components, namely password manager
(previously called single signon) and form manager (previously called
wallet).
2. Both store the user's data in a file in the profile directory. The
prefix of the file is randomly generated (to prevent a hacker from
locating it) and the suffix is .p for password manager and .w for form
manager (aka wallet).
3. Even when the files are not encrypted as Mitch pointed out, they are
at least obscured (using a BASE64 encoding) so that a casual reader
would not be able to get a glimpse at the values.
4. Having the source of the browser does not give the hacker any clues
as to how to obtain any of the user's information if it is encrypted.
It does tell him exactly how to crack the user's information if it is
only obsurred.
-- Steve Morse
Mitchell Stoltz wrote:
>
> The wallet data is not stored in key3.db or cert7.db, those files just
> store certificate information. I don't know the exact file those are
> stored in, but maybe Steve Morse can shed some light on this. I've cc'd
> him. The password file is not encrypted by default, but it is encrypted
> if the user chooses "Encrypt Sensitive Info" from the Password Manager
> menu. The data is then encrypted with a password supplied by the user.
> It should be difficult for anyone to decrypt this information, even with
> access to the Mozilla source code. In fact, the strongest encryption
> schemes are those which have been open source for some time. To get at a
> user's passwords, an attacker would need 1) access to the user's
> password file, and 2) the user's master encryption password. Without
> both of these things, there's no way to read those passwords.
> -Mitch
>
> > I found that mozilla-the-browser has a password manager (called wallet ?),
> > which stores user's passwords. I'm just wondering where (in which file) the
> > passwords being saved, and how they being encrypted before saved in a file.
> > I found that there are key3.db and cert7db in ~/.mozilla. Are these files
> > where the passwords being stored ? If so, by reading the mozilla source
> > (such as those in mozilla/security/{nss|psm}), is it possible to decipher
> > (if this is the correct word) passwords of anyone else stored in those files
> > ?
> > Since Mozilla is an open source, so that everyone can have the source and
> > see how the password is encrypted, I'm afraid that everyone can decrypt any
> > password of anyone else.
> >
> > To tell the truth, we are planning to use Mozilla as a browser for our
> > product (a PDA). So, we are concerned if anyone is able to read our
> > customer's passwords stored in key3.db / cert7.db (if I'm correct).
> >
> > Please point me some documents (if any) explaining of how mozilla manage
> > key3.db and cert7.db, and how the passwords being managed.
> > Thank you in advance.
> >
> > Regards,
> > Bagus
