搜尋 Mozilla 技術支援網站

防止技術支援詐騙。我們絕對不會要求您撥打電話或發送簡訊,或是提供個人資訊。請用「回報濫用」功能回報可疑的行為。

了解更多

How does the password manager encrypt passwords?

more options

I'd like to know what encryption algothim is used for the password manager and the process behind it. Since I'm using this information for a paper I'd appreciate it if you could add a source as well if possible.

I'd like to know what encryption algothim is used for the password manager and the process behind it. Since I'm using this information for a paper I'd appreciate it if you could add a source as well if possible.

所有回覆 (2)

more options

This is mostly background information, it doesn't answer your question completely:

When you save a login in Firefox, it is stored in a file in your profile folder named logins.json. If you open that file in a text editor, you will see that the contents of the username and password fields are encrypted.

The encryption key is stored in the key4.db file in the same folder. If an attacker obtains both files, then the logins can be decrypted either by another installation of Firefox or by various readily available tools.

To protect the logins against this kind of attack, the user needs to discover the option to create a Primary Password. See: Use a Primary Password to protect stored logins and passwords. Assuming the attacker does not know the primary password, they would need to use brute force to decrypt the passwords.

Now we come to your question of the algorithm because it obviously makes a big difference in whether a brute force attack -- if the attacker doesn't have the associated key4.db file or doesn't know the Primary Password -- could succeed in a reasonable amount of time.

[cipher + hashing methods TBD]

You might also wonder about Firefox Sync. Firefox Sync uses the Firefox Account password to pre-encrypt logins before uploading them to the Sync cloud. This has been heavily tested and widely discussed, so it probably will be easier to find information about this aspect than the local file aspect. See: How Firefox Sync keeps your data safe even if TLS fails.

more options

I don't know whether either of these lists would be relevant, but perhaps you'll get more authoritative responses there:

https://groups.google.com/a/mozilla.org/g/dev-security-policy

https://groups.google.com/a/mozilla.org/g/dev-tech-crypto