FirePassword : Free Console/Command-line Tool to Recover Website Login Password from Mozilla Firefox Browser
See Also

FirePassword is first ever tool (back in early 2007) released to recover the stored website login passwords from Firefox Browser.

Like other browsers, Firefox also stores the login details such as username, password for every website visited by the user at the user consent. All these secret details are stored in Firefox sign-on database securely in an encrypted format. FirePassword can instantly decrypt and recover these secrets even if they are protected with Master Password.

Also FirePassword can be used to recover sign-on passwords from different profile (for other users on the same system) as well as from the different operating system (such as Linux, Mac etc). This greatly helps forensic investigators who can copy the Firefox profile data from the target system to different machine and recover the passwords offline without affecting the target environment.

For more advanced features, download our new All-in-one
Browser Password Recovery Pro Enterprise 2018 Edition

Note: FirePassword is not hacking or cracking tool as it can only help you to recover your own lost website passwords that are previously stored in Firefox browser.

It works on wider range of platforms starting from Windows XP to new Windows 10 version.

  • Instantly decrypt and recover stored encrypted passwords from 'Firefox Sign-on Secret Store' for all versions of Firefox.
  • Recover Passwords from Mozilla based SeaMonkey browser also.
  • Supports recovery of passwords from local system as well as remote system. User can specify Firefox profile location from the remote system to recover the passwords.
  • It can recover passwords from Firefox secret store even when it is protected with master password. In such case user have to enter the correct master password to successfully decrypt the sign-on passwords.
  • Automatically discovers Firefox profile location based on installed version of Firefox.
  • On successful recovery operation, username, password along with a corresponding login website is displayed
  • Fully Portable version, can be run from anywhere.
  • Integrated Installer for assisting you in local Installation & Uninstallation.
About Firefox's Built-in Password Manager

Firefox has a built-in password manager tool which stores username and passwords for all the visited websites. These credentials are stored in the encrypted form in the Firefox profile's database files such as key3.db and signons.txt.

The key3.db file contains master password related information such as encrypted password check string, salt, algorithm and version information etc
Signons.txt file contains the actual sign-on information
  • Reject Host list : List of websites for which user don't want Firefox to remember the credentials.
  • Normal Host List : Each host URL is followed by username and password.
How it Works?
Firefox till version 3.5 stores the sign-on secrets in signons.txt file located in the Firefox profile directory. With version 3.5 onwards Firefox started storing the sign-on secrets in Sqlite database file named 'signons.sqlite'. The structure of sign-on information stored in the signons.txt file (signons2.txt for version 2 and signons3.txt for version 3) and signons.sqlite for version 3.5 onwards is described below...
For Firefox < v2.0
  • First comes the sign-on file header which is always "#2c"
  • Next comes the reject host list in clear text, one per line and terminated with full stop.
  • After that normal host list is stored in the following format
    • Host URL
      • Name  (username or *password)
      • Value (encrypted)
      • .(full stop)
For Firefox v2.0 and and below v3.0
  • First comes the sign-on file header which is always "#2d"
  • Next comes the reject host list in clear text, one per line and ends with full stop.
  • After that normal host list is stored in the following format
    • Host URL
      • Name  (username or *password)
      • Value (encrypted)
      • Subdomain URL
      • .(full stop)
For Firefox v3.0 and below v3.5
  • First comes the sign-on file header which is always "#2e"
  • Next comes the excluded host list in clear text, one per line and ends with full stop.
  • After that saved host list is stored in the following format
    • Host URL
      • Name  (username or *password)
      • Value (encrypted)
      • Subdomain URL
      • --- (Dashed line denoting the end of host entry)
      • .(full stop)
For Firefox v3.5 and below v32

The new signons.sqlite database file has two tables moz_disabledHosts and moz_logins. The moz_disabledHosts table contains list of excluded websites which are exempted from storing passwords by user. The moz_logins table contains all the saved website passwords. Here is more detailed description of each tables...

  • table - moz_disabledHosts
    • id - index of each entry
    • hostname - blacklisted website URL
  • table - moz_logins
    • id - index of each entry
    • hostname - base website URL
    • httpRealm -
    • formSubmitURL - Actual website hosting URL for which secrets are saved.
    • usernameField - name of username element of form field
    • passwordField - name of password element of form field
    • encryptedUsername - encrypted username
    • encryptedPassword - encrypted password
    • guid - unique GUID for each entry
    • encType - value 1 indicates encrypted
For Firefox v32.x  and above
From version 32 onwards Firefox uses new login password file 'logins.json'. This file stores all the details such as website URL, encrypted username, encrypted password along with other details in JSON format as shown below (some of the fields are ignored for clarity),
However encryption and decryption technique remains the same as earier.

Now once the username and password values are extracted, next task is to decrypt them. Information required to decrypt these values is stored in key3.db file. If the master password is set, then you must provide the master password to proceed with decryption.

If you have forgotten the master password, then you can use our Firemaster tool to recover it

If the master password is set and if you have not provided it, then FirePasswordViewer will prompt you to enter the master password.

Installation & Uninstallation
It comes with Installer so that you can install it locally on your system for regular usage. This installer has intuitive wizard (as shown in the screenshot below) which guides you through series of steps in completion of installation.
At any point of time, you can uninstall the product using the Uninstaller located at following location (by default)
[Windows 32 bit]
C:\Program Files\SecurityXploded\FirePassword

[Windows 64 bit]
C:\Program Files (x86)\SecurityXploded\FirePassword
Using FirePassword
Here is the general usage information
FirePassword.exe [-o <file_path>] [-m <password>] -p <firefox_profile_path> | -p auto

-o  output file to write passwords
-m  specify the master password
-p  profile path of Firefox
//Dump passwords from CURRENT Firefox profile path
FirePassword.exe -p auto
//Dump passwords from specified Firefox profile path
FirePassword.exe -p 'c:\profiles\firefox\test.default'
//Write passwords to output file from Firefox profile path
FirePassword.exe -o c:\passlist.txt -p 'c:\profiles\firefox\test.default'
//Write passwords to output file from CURRENT Firefox profile path automatically
FirePassword.exe -o c:\passlist.txt -p auto
//Dump passwords from CURRENT Firefox profile path with master password
FirePassword.exe -m 'master123' -p auto
//Dump passwords from specified Firefox profile path with master password
FirePassword.exe -m 'master123' -p 'c:\profiles\firefox\test.default'
//Write passwords from specified Firefox profile path with master password
FirePassword.exe -o c:\passlist.txt -m 'master123' -p 'c:\profiles\firefox\test.default'
//Show this help screen
FirePassword.exe -h
FirePassword is the command-line based tool, hence you have to run it from cmd prompt.  Here are the brief usage instructions
  • Launch the cmd prompt and move to folder where you have copied FirePassword.exe
  • Next run it by typing 'FirePassword.exe' and follow the examples to recover the passwords.
  • If you have protected Firefox with master password then you have to specify it using -m option like 'FirePassword.exe -m mypassword' to recover the passwords successfully.
  • On successful recovery operation, FirePassword displays login website URL, username and password for all the stored websites.
  • If you wants to save the password list to file then use the -o option as shown in the examples above.

You can also copy the Firefox profile files from different operating system such as Linux or MAC to the Windows system locally and then specify that path with the FirePassword to recover passwords from such offline profile.

Now you can recover login passwords from Mozilla based SeaMonkey browser by specifying profile path with -p option

Firepassword in Action
FirePassword is not a hacking tool as it can recover only your stored passwords. It cannot recover the passwords for other users unless you have right credentials.

Like any tool its use either good or bad, depends upon the user who uses it. However Author or SecurityXploded is not responsible for any damage caused due to misuse of this tool.

Read complete License & Disclaimer terms here.

  • Thanks to the Mozilla-Firefox crew for making such an excellent and  beautiful browser. 
  • Thanks to Stefano for informing and providing code to make the FirePassword to support Firefox version 2.0
Release History
Version 10.0 : 8th Apr 2018
Mega 2018 release to support Master Password and Password Recovery from Firefox's new crypto database
Version 9.0 : 16th Dec 2017
Major edition supporting website login password recovery from new Firefox including both 32-bit & 64-bit versions.
Version 8.0 : 5th Dec 2016
Mega 2016 edition with the support for recovering Firefox passwords on new Windows 10 version
Version 7.5 : 27th Jul 2015
Tested successfully latest version of Firefox v39.0. Also added feature to Installer to dynamically download latest version
Version 7.0 : 7th Jan 2015
Mega release with a support to recover stored website passwords from new Firefox password file 'logins.json' starting with version 32. Also integrated Uninstaller into Add/Remove Programs.
Version 6.0 : 10th July 2013
Mega version with major enhancements to support latest Firefox version 22.0. Improved usage screen and overall output commands.
Version 5.5 : 6th Mar 2013
Now you can recover login passwords from Mozilla based SeaMonkey browser by specifying profile path with -p option
Version 5.0 : 23 Nov 2012
Successfully tested with latest version of Firefox v17.0 on Windows 8. Minor improvements in usage display.
Version 4.5 : 17th Feb 2012
Support for latest version of Firefox v10.0.1, Removed confusing username/password field names from the report.
Version 4.1 : 28th Mar 2011
Minor bug fix in the code.
Version 4.0 : 20th Nov 2010
Integrated Installer for local Installation & Uninstallation. Added feature to output directly to local file instead of console. Improved on display of results and error messages.
Version 3.6 : 12th May 2010
Dynamically loads Firefox DLLs from its installed location. Color based display to clearly view the password information.
Version 3.5 : 27th Dec 2009
Support for Windows 7.  The errors messages are now shown in RED color so that they are clearly seen.
Version 3.1 : 21st Aug 2009
Support for recovering the passwords from Sqlite signon database file used by latest Firefox version 3.5.
Version 2.6 : 9th Jan 2009
Fixed the application data folder problem with Vista.
Also it contains some of the security related changes.
Version 2.5 : 18th June 2008
Support for Firefox version 3.0 with its new signon file format.
Other enhancements related to user friendliness and clear display.
Version 2.0 :  3rd March 2007
Support for Firefox version 2.0. New signon format is explained below.
Few minor bug fixes and formatting of the result display.
Version 1.7 :  8th July 2006
Finally much awaited FirePassword source code is released.
Master Password checking is improved and now its done at beginning itself.
Removed the Gecko-SDK dependency completely.
Tested successfully with latest Firefox version
Version 1.6 :  25th Feb 2006
Few bug fixes here and there.
Thanks to Nemo for reporting the bug in base64 handling routine.
Version 1.5 :  14th Jan 2006
Static library dependency removed. Now libraries are loaded dynamically.
Support for wider range of Firefox versions.
Automatically detects Firefox profile directory if not specified.
Version 1.0 :  1st Jan 2006
First public release of FirePassword.
FREE Download FirePassword v10.0

License  : Freeware
Platform : Windows XP, 2003, Vista, Windows 7, Windows 8, Windows 10

See Also