Is it possible to easily retrieve Thunderbird's passwords with access to HDD?

  • I know Firefox 8 stores it's passwords in a SQLite database, which can easily be stolen with access to the HDD!

    What about Thunderbird 8? How does it store the passwords and how can one retieve them?

    I know NirSoft has this nice tool to retrieve passwords, but it's not compatible with Thunderbird > 5.

  • bstpierre

    bstpierre Correct answer

    10 years ago

    On linux, the password database is stored in:

    /home/$USER/.thunderbird/$RANDOM_STRING.default/signons.sqlite
    

    See @Karrax's answer for Windows locations.

    You can examine this file interactively using the sqlite3 CLI:

    sqlite3 ~/.thunderbird/zxcv1357.default/signons.sqlite
    
    sqlite> .tables
    moz_disabledHosts  moz_logins
    sqlite> .schema moz_logins
    CREATE TABLE moz_logins (id                 INTEGER PRIMARY KEY,hostname           TEXT NOT NULL,httpRealm          TEXT,formSubmitURL      TEXT,usernameField      TEXT NOT NULL,passwordField      TEXT NOT NULL,encryptedUsername  TEXT NOT NULL,encryptedPassword  TEXT NOT NULL,guid               TEXT,encType            INTEGER, timeCreated INTEGER, timeLastUsed INTEGER, timePasswordChanged INTEGER, timesUsed INTEGER);
    CREATE INDEX moz_logins_encType_index ON moz_logins(encType);
    CREATE INDEX moz_logins_guid_index ON moz_logins(guid);
    CREATE INDEX moz_logins_hostname_formSubmitURL_index ON moz_logins(hostname, formSubmitURL);
    CREATE INDEX moz_logins_hostname_httpRealm_index ON moz_logins(hostname, httpRealm);
    CREATE INDEX moz_logins_hostname_index ON moz_logins(hostname);
    sqlite> select * from moz_logins;
    3|imap://imap.example.com|imap://imap.example.com||||MEIEEPgAAAAAAAAAAAAAAAAAAAEwFAYIQwErTyUiOp12345GmuM2KNXcZ=|MEIEEPgAAAAAAAAAAAAAAAAAAAEwFAYIQwErTyUiOp12345GmuM2KNXcZ=|{1234abcd-beef-feed-face-0a0a0a0a0a}|1|1320123123123|1320123123123|1320123123123|1
    4|smtp://smtp.example.com|smtp://smtp.example.com||||MEIEEPgAAAAAAAAAAAAAAAAAAAEwFAYIQwErTyUiOp12345GmuM2KNXcZ=|MEIEEPgAAAAAAAAAAAAAAAAAAAEwFAYIQwErTyUiOp12345GmuM2KNXcZ=|{1decafbad-fa11-1234-1234-abcdef0123456}|1|1320123123123|1320123123123|1320123123123|1
    

    If you wanted to fetch usernames/passwords from code, it's as simple as:

    echo "select encryptedUsername, encryptedPassword from moz_logins;" | sqlite3 ~/.thunderbird/*.default/signons.sqlite
    

    or the equivalent in your favorite programming language with sqlite3 bindings.

    Of course, if they're encrypted (as shown above) you'll need to put some effort into guessing the master password used for encryption. As a user, know that if you use a weak master password (e.g. P4ssw0rd1) it will be trivial to get the cleartext passwords.

    Any hints on decrypting the passwords, if you have the master password?

    I installed Thunderbird today on Ubuntu 14.04 and just out of curiosity checked the `.sqlite` files in the mentioned folder. Glad to know that Mozilla no longer saves passwords in this manner anymore. `signons.sqlite` doesn't exist anymore and `moz_logins` table couldn't be found in any of the tables. Hopefully, they are encrypting this information somewhere inside thunderbird!

    @PrahladYeri now it is stored in `logins.json`

    @ZAB Yup, but the field says `encryptedUsername` and `encryptedPassword`, though I'm not so sure how strong (or weak) their encryption could be.

    @PrahladYeri there is no encryption without a master password. The fields had the same name in `signons.sqlite`

    They should at least use gnome keyrings to protect these passwords even when a master password isn't set. For example by generating a random strong password for the master password and storing in login keyring. Some extensions seem to do that, but they're deprecated.

License under CC-BY-SA with attribution


Content dated before 7/24/2021 11:53 AM