10.10.2024

Security

Virtual Servers

How to View Your Saved Passwords in Firefox (Desktop & Mobile)

Firefox's built-in Password Manager stores login credentials locally in an encrypted SQLite database (logins.json and key4.db) within your Firefox profile directory. To view a saved password, navigate to about:logins in the address bar, select the desired entry from the list, and click the eye icon next to the password field to reveal it. On mobile, the equivalent path is Settings > Logins and Passwords > Saved Logins.

This guide covers every method for accessing, managing, and hardening Firefox-saved credentials — on desktop (Windows, macOS, Linux), Android, and iOS — including the underlying storage architecture, Primary Password encryption, and when Firefox's native manager is insufficient for production or multi-user environments.

How Firefox Stores Passwords Internally

Before diving into the UI steps, understanding the storage layer helps you make informed security decisions.

Firefox saves credentials in two files inside your profile folder:

logins.json — stores encrypted usernames, passwords, hostnames, and metadata
key4.db — an NSS (Network Security Services) key database that holds the encryption keys used to protect logins.json

The default encryption uses 3DES (legacy profiles) or AES-256-CBC (modern profiles), wrapped by a key derived from your OS login or, if set, your Primary Password via PBKDF2-SHA256.

Profile directory locations by OS:

Operating System	Default Profile Path
—	—
Windows	`%APPDATA%MozillaFirefoxProfiles<profile>`
macOS	`~/Library/Application Support/Firefox/Profiles/<profile>`
Linux	`~/.mozilla/firefox/<profile>`
Android	Internal storage, accessible via Firefox sync or ADB

If you ever need to migrate credentials, copying both logins.json and key4.db together to a new profile is sufficient — neither file is useful without the other.

Viewing Saved Passwords in Firefox on Desktop

Step 1: Open the Password Manager

There are two ways to reach the Password Manager:

Method A — Direct URL (fastest):

Type the following directly into the address bar and press Enter:

about:logins

Method B — Menu navigation:

Click the hamburger menu (three horizontal lines) in the top-right corner.
Select Passwords from the dropdown.

Both methods open the same about:logins interface.

Step 2: Locate the Credential Entry

The left panel lists all saved logins sorted alphabetically by hostname. Use the search bar at the top of the panel to filter by domain name, username, or any partial string. Firefox performs a real-time substring match across all fields.

Tip: If you have hundreds of entries, use the sort options (by name, last used, last changed, or breach alert status) to narrow results efficiently.

Step 3: Reveal the Password

Click on any entry to expand its detail panel on the right. The password field displays masked characters by default. Click the eye icon to the right of the password field to toggle visibility.

Important: If a Primary Password is configured (see the security section below), Firefox will prompt you to enter it before revealing any credential. This is intentional and is one of the most effective local protections available.

Step 4: Copy or Edit the Credential

Click the copy icon next to the username or password field to copy either value to the clipboard.
Click Edit to modify the stored username or password directly within the manager.
Click Remove to permanently delete the entry.

Edge case — duplicate entries: Firefox can store multiple credentials per domain. If you see duplicate hostnames, this typically happens when a site changed its login URL or you saved credentials under both http:// and https:// variants. Clean these up manually to avoid login confusion.

Exporting All Saved Passwords

Firefox allows bulk export for migration or backup purposes:

In about:logins, click the three-dot menu (top-right of the page).
Select Export Logins.
Confirm the warning — the export produces a plain-text CSV file with all credentials unencrypted.

"url","username","password","httpRealm","formActionOrigin","guid","timeCreated","timeLastUsed","timePasswordChanged"
"https://example.com","user@example.com","MyPassword123","","https://example.com","..."

Critical warning: This CSV is completely unencrypted. Store it only in an encrypted volume or password-protected archive. Delete it immediately after use. Never store it on shared hosting or unencrypted cloud storage.

Viewing Saved Passwords in Firefox on Android

Open Firefox for Android.
Tap the three-dot menu in the top-right corner.
Select Settings.
Tap Logins and Passwords.
Tap Saved Logins.
Use the search bar to filter entries, then tap any entry.
Tap the eye icon next to the password field.

Firefox on Android enforces biometric or device PIN authentication before revealing passwords if your device has a screen lock configured. This is controlled by Android's BiometricPrompt API and cannot be bypassed without device-level access.

Viewing Saved Passwords in Firefox on iOS

Open Firefox for iOS.
Tap the hamburger menu (three horizontal lines) in the bottom-right corner.
Select Settings.
Tap Logins and Passwords.
Tap Saved Logins.
Authenticate with Face ID, Touch ID, or your device passcode when prompted.
Tap any entry, then tap the eye icon to reveal the password.

On iOS, Firefox integrates with the system LocalAuthentication framework, meaning credential access is gated by the same biometric system used to unlock your device.

Security Hardening: Protecting Firefox-Saved Passwords

Set a Primary Password (Formerly Master Password)

The Primary Password encrypts the key4.db key database with your chosen passphrase, making the stored credentials inaccessible without it — even if someone copies your profile directory.

To enable it:

Open the Firefox menu and go to Settings.
Navigate to the Privacy & Security tab.
Scroll to the Logins and Passwords section.
Check Use a Primary Password.
Enter and confirm a strong passphrase.

Technical note: Without a Primary Password, Firefox uses a default empty string as the encryption key, meaning logins.json is technically encrypted but trivially decryptable by any tool that reads key4.db. Setting a strong Primary Password is the single most impactful local security measure you can take.

Enable Two-Factor Authentication on Firefox Accounts

If you use Firefox Sync to synchronize passwords across devices, your Firefox account becomes a high-value target. Enable 2FA:

Visit accounts.firefox.com.
Go to Security in your account settings.
Enable Two-Step Authentication using an authenticator app (TOTP).

This protects the sync layer but does not replace the Primary Password for local storage protection — both should be active simultaneously.

Keep Firefox Updated

Firefox releases security patches on a regular cadence. Outdated versions may be vulnerable to exploits that can extract credentials from memory or profile files. Enable automatic updates under Settings > General > Firefox Updates.

Audit for Breached Credentials

Firefox integrates with Mozilla Monitor (formerly Firefox Monitor), which checks your saved credentials against the Have I Been Pwned database. Entries flagged with a breach alert icon in about:logins should be treated as compromised and changed immediately.

Firefox Password Manager vs. Dedicated Password Managers

Firefox's built-in manager is convenient but has architectural limitations in enterprise, multi-user, or server-side contexts.

Feature	Firefox Password Manager	Dedicated Manager (e.g., Bitwarden, KeePass)
—	—	—
Cross-browser support	Firefox only	All browsers and apps
Encryption at rest	AES-256 (with Primary Password)	AES-256 / ChaCha20 (always enforced)
Zero-knowledge architecture	No (Mozilla holds sync keys)	Yes (self-hosted options available)
Audit log / access history	None	Available in enterprise tiers
Team / shared vault support	None	Core feature
Self-hosted option	No	Yes (Bitwarden, Vaultwarden)
Offline access	Yes (local profile)	Depends on configuration
Breach monitoring	Mozilla Monitor integration	Varies by provider
CLI access	No	Yes (Bitwarden CLI, KeePassXC CLI)

For personal use on a single device, Firefox's manager is adequate when a strong Primary Password and 2FA are configured. For teams, developers managing multiple environments, or anyone running server infrastructure, a self-hosted solution on a VPS provides far greater control and auditability.

Running a Self-Hosted Password Manager on a VPS

If you manage credentials for a team, a development pipeline, or multiple client environments, hosting a solution like Vaultwarden (a lightweight Bitwarden-compatible server written in Rust) on a VPS eliminates reliance on third-party sync infrastructure entirely.

A minimal deployment on a Linux VPS looks like this:

# Install Docker and Docker Compose if not already present
apt update && apt install -y docker.io docker-compose

# Create a directory for Vaultwarden data
mkdir -p /opt/vaultwarden/data

# Create a Docker Compose file
cat > /opt/vaultwarden/docker-compose.yml <<EOF
version: "3"
services:
  vaultwarden:
    image: vaultwarden/server:latest
    container_name: vaultwarden
    restart: unless-stopped
    volumes:
      - ./data:/data
    environment:
      WEBSOCKET_ENABLED: "true"
      SIGNUPS_ALLOWED: "false"
    ports:
      - "127.0.0.1:8080:80"
EOF

# Start the service
cd /opt/vaultwarden && docker-compose up -d

Place this behind an Nginx reverse proxy with a valid TLS certificate. Pairing this with an SSL certificate ensures all credential traffic is encrypted in transit. For teams requiring isolated environments per project, dedicated servers provide the hardware-level isolation that shared infrastructure cannot guarantee.

If you prefer a managed control panel to handle web server configuration, VPS with cPanel simplifies virtual host and SSL management without manual Nginx configuration.

Recovering Passwords When Firefox Won't Start

If Firefox crashes or becomes corrupted, you can extract credentials directly from the profile files using the firefox_decrypt Python tool:

# Clone the tool
git clone https://github.com/unode/firefox_decrypt.git
cd firefox_decrypt

# Point it at your profile directory
python3 firefox_decrypt.py ~/.mozilla/firefox/<your-profile>

You will be prompted for your Primary Password if one is set. The tool outputs credentials in plain text to stdout — pipe it carefully:

python3 firefox_decrypt.py ~/.mozilla/firefox/<your-profile> > /tmp/recovered_creds.txt

Encrypt or delete /tmp/recovered_creds.txt immediately after use. This approach is also useful for forensic audits on Linux servers where a headless Firefox profile was used for automated browser testing.

Practical Decision Matrix

Use this checklist to determine the right credential management approach for your situation:

Single user, personal device, low-risk accounts — Firefox Password Manager with Primary Password and 2FA on Firefox Account is sufficient.
Single user, high-value accounts (banking, infrastructure) — Use a dedicated password manager (KeePass local vault or Bitwarden cloud) in addition to or instead of Firefox's manager.
Developer managing multiple server environments — Self-host Vaultwarden on a VPS with TLS and IP allowlisting. Use the Bitwarden CLI for scripted credential retrieval.
Small team sharing credentials — Vaultwarden with organization vaults, hosted on a VPS with daily encrypted backups to off-site storage.
Enterprise or compliance-regulated environment — Dedicated secrets management (HashiCorp Vault, AWS Secrets Manager) with full audit logging; Firefox's manager is not appropriate for this use case.
Email credentials specifically — Consider email hosting with enforced 2FA at the provider level, independent of browser-stored passwords.

FAQ

Can Firefox saved passwords be accessed without the Primary Password?

Yes, if no Primary Password is set, the encryption key is derived from an empty string and any tool that reads key4.db alongside logins.json can decrypt all stored credentials without user interaction. Setting a strong Primary Password is mandatory if local credential security matters.

Where exactly are Firefox passwords stored on Linux?

They are stored in two files — logins.json and key4.db — inside your profile directory at ~/.mozilla/firefox/<profile-id>/. Both files must be present together for decryption to work.

Does Firefox Sync encrypt passwords before sending them to Mozilla's servers?

Yes. Firefox Sync uses a client-side encryption model where data is encrypted locally using keys derived from your account password before transmission. Mozilla's servers store only ciphertext. However, this is not a zero-knowledge architecture in the strictest sense, as the key derivation involves your account credentials which Mozilla authenticates.

Why does the eye icon not appear for some password entries?

This typically occurs when the entry was saved without a password value (username-only entries), or when the entry is flagged as a breach and Firefox has temporarily restricted display. Check the entry details and verify the password field is not empty.

Is it safe to use Firefox's password manager on a shared or public computer?

No. On any shared machine, saved passwords are accessible to anyone with OS-level access to your user profile, regardless of whether a Primary Password is set — because the Primary Password protects the encryption key, but the profile directory itself is readable by the OS user account. Always use private browsing mode and never save passwords on shared hardware.

Save 15% on All Hosting Services