Firefox passwords: Now you see ’em, now you don’t

For some weeks, I’ve been suffering from an obscure problem with my Firefox password store: All stored passwords were available when listed via “settings” / “security” / “stored passwords”, and Firefox would enter user names in the appropriate web site forms. But stored passwords were never entered, the password fields always remain blank.

Creating a new profile, entering some login data and confirming to store the data gave me the expected good result: Re-visiting the login form auto-entered the data successfully. But once I copied over the store files (logins.json, cert8.db, key3.db and secmod.db) from the old profile, the old symptom resurrected: I was offered to chose stored login names, but no passwords were entered.

Background

Firefox uses NSS to store certain information (certificates and private keys) and has not yet switched to SQLite for those (unlike it had happened for other Firefox storage). Hence you’ll find that the “*.db” files are BDBs (Berkeley DB databases), which at least the BDB tools from OpenSUSE 13.1 refused to read. “cert8.db” stores the certificates and “key3.db” holds private keys.

“logins.json” is the file that holds all user names and (encrypted) passwords and is, as the name already suggests, a JSON-encoded data structure. It’s no NSS file, but seems to have some link to the NSS databases, probably some encryption key to the passwords is stored in the keys BDB, rather than using the master password directly.

I verified the structure of the old profile’s logins.json, comparing it to the (almost empty) one from the new profile, and found no obvious problem. Failing to check the content of the BDBs with the distro-supplied BDB tools, I stumbled over the fact that these are actually files from an NSS installation and decided to give “certutil” (supplied via the “mozilla-nss-tools” RPM) a try.

Solution

“certutil” did not reveal any obvious problem with the old profile’s databases, but looking at its help text, a “merge databases” command caught my eye. So (just for good measure) I copied the old profile’s BDB files to a temporary directory and let “certutil” merge the old database into the newly created profile’s database:

me@host:~/.mozilla/firefox/oldprofile > cp logins.json ../newprofile
me@host:~/.mozilla/firefox/oldprofile > mkdir /tmp/oldprofile
me@host:~/.mozilla/firefox/oldprofile > cp cert8.db key3.db secmod.db /tmp/oldprofile
me@host:~/.mozilla/firefox/oldprofile > cd ../newprofile
me@host:~/.mozilla/firefox/newprofile > certutil --merge -d . --source-dir /tmp/oldprofile
me@host:~/.mozilla/firefox/newprofile > rm -r /tmp/oldprofile

Of course, Firefox wasn’t running at that time.

When I restarted Firefox using the new profile, auto-completing login fields worked like a charm. So in the end, it was some form of corruption in the old database. I may well have been the “user root cause” of that, by copying around profile data between profiles earlier on. But it sure is confusing that Firefox obviously has access to all that user/password data (shown via the settings menu), but will not use it during regular operations…

This entry was posted in howto, Linux, OpenSUSE and tagged , , . Bookmark the permalink.

Leave a Reply