Closed Bug 1579617 Opened 6 years ago Closed 2 years ago

Cannot change master password

Categories

(NSS :: Libraries, defect, P5)

Product:
NSS
Component:
Libraries
Type:
defect

Tracking

(Not tracked)

Status:
RESOLVED INACTIVE

People

(Reporter: szakyronin, Unassigned)

References

Details

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:69.0) Gecko/20100101 Firefox/69.0

Steps to reproduce:

I tried to remove and to change my master password. I did not forget it but I would like to modify it as it was compromised.

Actual results:

When I try to change my master password, I get "Unable to change Master Password." error. When I try to remove it nothing happens.

Expected results:

The master password should have been changed or removed.

Removing the key4.db file and logins.json "solves" the problem but it also means that I lose all my saved passwords. Do let me know if there is a work around for exporting/saving the passwords.

Component: Untriaged → Password Manager
Product: Firefox → Toolkit

So unchecking the Master Password checkbox doesn't work either? Can you check for errors in the Browser Console?

Component: Password Manager → Security: PSM
Flags: needinfo?(szakyronin)
Product: Toolkit → Core

(In reply to Matthew N. [:MattN] (PM me if requests are blocking you) from comment #2)

So unchecking the Master Password checkbox doesn't work either? Can you check for errors in the Browser Console?

Indeed.

This is what I got:
Component returned failure code: 0x805a1ff1 [nsIPK11Token.changePassword] removemp.js:46

Flags: needinfo?(szakyronin)
See Also: → 1580285

Does your user account have permissions to modify key4.db and cert9.db? (i.e. is the ownership correct, are the permissions set to read/write, etc.)

Flags: needinfo?(szakyronin)

(In reply to Dana Keeler (she/her) (use needinfo) (:keeler for reviews) from comment #4)

Does your user account have permissions to modify key4.db and cert9.db? (i.e. is the ownership correct, are the permissions set to read/write, etc.)

Thank you for the idea, I tried to change the permissions in the profiles folder but the problem still persists. I am logged in as admin so in theory we can rule out permission related issues unless you were thinking of something else.

At any rate, if I create a brand new profile I am able to add/remove the master password unless I copy the key4.db and logins.json which leads me to believe that the problem somehow lies in those files.

Flags: needinfo?(szakyronin)

What happens if you log in first? (about:preferences -> search for "security devices" -> click Security Devices, select Software Security Device, click Log In)
While you're there, what other PKCS#11 modules do you have loaded? (in the list on the left)
Also, is there a version of Firefox where this did work?

Flags: needinfo?(szakyronin)

(In reply to Dana Keeler (she/her) (use needinfo) (:keeler for reviews) from comment #6)

What happens if you log in first? (about:preferences -> search for "security devices" -> click Security Devices, select Software Security Device, click Log In)
While you're there, what other PKCS#11 modules do you have loaded? (in the list on the left)
Also, is there a version of Firefox where this did work?

Same issue when I log in there and try to change the master pass.

In the PKCS#11 list the only other thing is: "generic crypto services".

I am pretty sure it did work a few years back, I'd say whatever version Firefox had 3 years ago?! Honestly I have no idea when was the last time I changed master password as I have been using Firefox forever.

I can say that the password files have been migrated like a dozen times and survived quite a few Firefox versions, which probably contributed to the current situation.

Flags: needinfo?(szakyronin)

The priority flag is not set for this bug.
:keeler, could you have a look please?

For more information, please visit auto_nag documentation.

Flags: needinfo?(dkeeler)
Severity: normal → blocker

I wonder if using certutil would work to change the password. You can download a build for Windows here: https://treeherder.mozilla.org/#/jobs?repo=nss&searchStr=windows%2Cx64%2Copt%2C%28B%29 (click on a green B, download dist.7z in the Job Details tab, extract that. certutil.exe will be in Release/bin). In a shell, you'll do something like certutil.exe -W -d [path to your Firefox profile directory] and then follow the prompts.
If that doesn't work, the only way I can think of to move forward here would be either for you to debug NSS or for you to send us your cert9.db and key4.db files and have us debug them. The downside of that is that those files can contain private information. In particular, key4.db contains the key that encrypts your saved passwords. Also, you'll have to tell us your current password.

Assignee: nobody → nobody
Component: Security: PSM → Libraries
Flags: needinfo?(dkeeler) → needinfo?(szakyronin)
Product: Core → NSS
QA Contact: jjones
Version: 69 Branch → other

I admit I am a bit confused on how to execute your suggestion.

Do I extract dist.7z to the system32 folder or just anywhere? I tried to run certutil (after unpacking of course) but then I either get missing .dll errors or if I copy them, the file just closes itself.

Then I tried to use the line certutil.exe -W -d in command prompt but it comes back with "unknown arg: -w". At any rate, I am not sure where and when I would do the pathing.

Flags: needinfo?(szakyronin)

Sorry if this means going off on a tangent from the current conversation but I'm new to NSS and wanted to help. This is as far as I got (and sorry if this is repetition from what is already known):

Component returned failure code: 0x805a1ff1 [nsIPK11Token.changePassword] removemp.js:46

Looking up removemp.js line 46 shows changePassword() is called (and checkPassword() has been successful). Looking up the error code shows it is a SEC_ERROR_BAD_PASSWORD error (with a description of 'The password entered is incorrect').

When I try to change my master password, I get "Unable to change Master Password." error. When I try to remove it nothing happens.

The "Unable to change Master Password" message is displayed here. A reason why an error is displayed on changing the password vs removing it could be because the code in changepassword.js has a try-catch block to then display an error on failure (doPrompt(...)).

The code in the try-catch block has a few doPrompt() calls. As szakyronin did not encounter any other dialogs/messages before the "Unable to change..." message, you can rule out what code blocks do not get reached. I cannot confirm as I am unable to debug this but changePassword() is being called here too (the culprit method call from the removemp.js error).

At any rate, if I create a brand new profile I am able to add/remove the master password unless I copy the key4.db and logins.json which leads me to believe that the problem somehow lies in those files.

I was unable to conclude anything just by reading the code in regards to these two files but hopefully the above helps if you take Dana Keeler's option to debug NSS. Good luck!

(In reply to szakyronin from comment #10)

I admit I am a bit confused on how to execute your suggestion.

I believe the Dana suggestion is will be a fast and very useful way to address the source of this problem.
So, lets try to make it work in your environment. : )

Do I extract dist.7z to the system32 folder or just anywhere? I tried to run certutil (after unpacking of course) but then I either get missing .dll errors or if I copy them, the file just closes itself.
I would suggest to not extract into system32 folder. You can create a new and separated folder anywhere.
To avoid setting environment variables, I would suggest to enter in this folder by an administrative terminal (cmd or ps) and run the certutil.exe from there.

Then I tried to use the line certutil.exe -W -d in command prompt but it comes back with "unknown arg: -w". At any rate, I am not sure where and when I would do the pathing.

The message "unknown arg: -w" suggested you used a lower-case "w". Although Windows is case-insensitive, the certutil could be expecting a upper-case "W".
For the -d option, you should inform the absolute path for the firefox profile, like "c:\Users\<username>\appdata..."

(In reply to szakyronin from comment #10)

I admit I am a bit confused on how to execute your suggestion.

Do I extract dist.7z to the system32 folder or just anywhere? I tried to run certutil (after unpacking of course) but then I either get missing .dll errors or if I copy them, the file just closes itself.

I wouldn't put those files in system32.

Then I tried to use the line certutil.exe -W -d in command prompt but it comes back with "unknown arg: -w". At any rate, I am not sure where and when I would do the pathing.

Try ./certutil.exe? Windows also has a utility called certutil.exe, so you have to tell the shell which one you want (./ means "in the current working directory").

Flags: needinfo?(szakyronin)

(In reply to Dana Keeler (she/her) (use needinfo) (:keeler for reviews) from comment #13)

(In reply to szakyronin from comment #10)

I admit I am a bit confused on how to execute your suggestion.

Do I extract dist.7z to the system32 folder or just anywhere? I tried to run certutil (after unpacking of course) but then I either get missing .dll errors or if I copy them, the file just closes itself.

I wouldn't put those files in system32.

Then I tried to use the line certutil.exe -W -d in command prompt but it comes back with "unknown arg: -w". At any rate, I am not sure where and when I would do the pathing.

Try ./certutil.exe? Windows also has a utility called certutil.exe, so you have to tell the shell which one you want (./ means "in the current working directory").

So I managed to run the downloaded certutil.exe with the specified commands in command prompt, however I get the following error message (no matter what directories I am pointing at):
certutil.exe: function failed: SEC_ERROR_BAD_DATABASE: security library: bad database.

Just to clarify, originally I could not run certutil.exe as it closed with missing .dll errors. After copying those files (from the /lib folder) into the same directory, certutil.exe will run but autoclose.

Now if I use the command prompt and navigate to the folder where the downloaded certutil.exe is, only then I can use the commands that you suggested. However it still fails with the error no matter what folder I select, if any.

Did I download the wrong pack or is this an unrelated issue?

Flags: needinfo?(szakyronin)

That error is consistent with the behavior you're seeing. Maybe try downloading the sqlite tools (https://www.sqlite.org/download.html) and running sqlite3.exe [path to cert9.db] and see if sqlite can even open it (and try again with key4.db if that works).

Flags: needinfo?(szakyronin)

(In reply to Dana Keeler (she/her) (use needinfo) (:keeler for reviews) from comment #15)

That error is consistent with the behavior you're seeing. Maybe try downloading the sqlite tools (https://www.sqlite.org/download.html) and running sqlite3.exe [path to cert9.db] and see if sqlite can even open it (and try again with key4.db if that works).

Well it is either not doing anything, or I am approaching it incorrectly. .open commend just created an empty file named cert9 with no extension.

Any hints you could give me to navigate sqlite3 better?

Flags: needinfo?(szakyronin)

The priority flag is not set for this bug.
:jcj, could you have a look please?

For more information, please visit auto_nag documentation.

Flags: needinfo?(jjones)

Take a look at a SQLite tutorial, maybe try a client with a GUI to load the database. Ultimately though, for us to make further progress we'd need the database files to examine, as Dana said in Comment 9. Potentially we wouldn't need the password to simply look for obvious corruption.

Still, this is probably a situation where something happened to corrupt the database, and it appears to be rare - I've never seen a similar situation before since we moved to SQLite. I am sorry this happened to you.

Flags: needinfo?(jjones)
Priority: -- → P5

(In reply to J.C. Jones [:jcj] (he/him) from comment #18)

Take a look at a SQLite tutorial, maybe try a client with a GUI to load the database. Ultimately though, for us to make further progress we'd need the database files to examine, as Dana said in Comment 9. Potentially we wouldn't need the password to simply look for obvious corruption.

Still, this is probably a situation where something happened to corrupt the database, and it appears to be rare - I've never seen a similar situation before since we moved to SQLite. I am sorry this happened to you.

I will take a look at some tutorials and will try to poke around with SQlite at the weekend, hopefully I will be able to figure something out.

At any rate I would like to state that I appreciate you guys looking into this issue! Nevertheless, I hope you can understand if I say that uploading the password file is simply not an option. Trust aside, in principle it would create a huge liability and it would be a real privacy risk on my part. Now if I had a way to delete the passwords maybe leaving in a 3-4 dummy ones saved, you might still be able to check on the corrupt file.

Indeed it is a rare problem, but there are reports of similar/same issues. I also made a support request here:
https://support.mozilla.org/en-US/questions/1268335

Since a possible solution seems to be unlikely, I would like to ask for your help with a possible workaround.
I have found ways to export the password list into a text/excel file etc. already, but I have no clue how to convert said file into a key4.db. Could anyone give me hints or tell me if it is even possible?

Mmm, thanks for doing the legwork on that!

Good move on exporting the passwords. https://github.com/louisabraham/ffpass looks like it interacts directly with the SQLite database and probably will work. It's not much code, and a quick search doesn't show any opportunity to leak the passwords out, so it should be safe to try, anyway.

(In reply to J.C. Jones [:jcj] (he/him) from comment #20)

Mmm, thanks for doing the legwork on that!

Good move on exporting the passwords. https://github.com/louisabraham/ffpass looks like it interacts directly with the SQLite database and probably will work. It's not much code, and a quick search doesn't show any opportunity to leak the passwords out, so it should be safe to try, anyway.

Thank you for the answer.

Is there a way to import the passwords or to create a key4.db file from a text list? I really would like to avoid doing it all manually and it is not like Firefox has a copy paste function for the passwords.

I am open to any workaround suggestions in case you have something in mind.

It looks like that ffpass tool above can do it from a CSV file, using python.

It might have some bugs in it - I am having trouble with handling all my different profiles, but maybe it'd just work for you?

(In reply to J.C. Jones [:jcj] (he/him) from comment #22)

It looks like that ffpass tool above can do it from a CSV file, using python.

It might have some bugs in it - I am having trouble with handling all my different profiles, but maybe it'd just work for you?

It does look like what I am looking for! Cheers!

FYI: A user in the Turkish support forum is experiencing a similar problem.
https://support.mozilla.org/tr/questions/1275747

She has temporarily removed the master password and when she tries to set it again, she gets an "Unable to change Master Password" error.

I am facing the same problem. I am trying to set the primary password for the first time and I get the same error message.

I've tried to debug the problem a bit. I downloaded http://download-origin.cdn.mozilla.net/pub/security/nss/releases/NSS_3_63_RTM/src/nss-3.63-with-nspr-4.30.tar.gz

The problem happens at the following stack trace:

sdb_GetMetaData (sdb=0x84a8890, id=0x7ffffffec6e0 "sig_cert_23b47603_ce5363b4", item1=0x7ffffffec7f0, item2=0x0) at sdb.c:1728
1728                error = CKR_OBJECT_HANDLE_INVALID;
>>> bt
#0  sdb_GetMetaData (sdb=0x84a8890, id=0x7ffffffec6e0 "sig_cert_23b47603_ce5363b4", item1=0x7ffffffec7f0, item2=0x0) at sdb.c:1728
#1  0x00007ffffd6d7259 in sftkdb_getRawAttributeSignature (handle=0x84d5f50, db=0x84a8890, objectID=599029251, type=3461571508, signText=0x7ffffffec7f0) at sftkdb.c:260
#2  0x00007ffffd6d72ff in sftkdb_GetAttributeSignature (handle=0x84d5f50, keyHandle=0x84d5fe0, objectID=599029251, type=3461571508, signText=0x7ffffffec7f0) at sftkdb.c:271
#3  0x00007ffffd6d7c70 in sftkdb_fixupTemplateOut (template=0x7ffffffeca30, objectID=599029251, ntemplate=0x7ffffffeca30, count=1, handle=0x84d5f50) at sftkdb.c:431
#4  0x00007ffffd6d9d4a in sftkdb_GetAttributeValue (handle=0x84d5f50, objectID=599029251, template=0x7ffffffeca30, count=1) at sftkdb.c:1427
#5  0x00007ffffd6e4665 in sftk_updateMacs (arena=0x8578e20, handle=0x84d5f50, id=599029251, newKey=0x7ffffffecc40, iterationCount=10000) at sftkpwd.c:1149
#6  0x00007ffffd6e4b56 in sftk_convertAttributes (handle=0x84d5f50, id=2746512899, newKey=0x7ffffffecc40, iterationCount=10000) at sftkpwd.c:1266
#7  0x00007ffffd6e4cad in sftkdb_convertObjects (handle=0x84d5f50, template=0x7ffffffecca0, count=1, newKey=0x7ffffffecc40, iterationCount=10000) at sftkpwd.c:1311
#8  0x00007ffffd6e5054 in sftkdb_ChangePassword (keydb=0x84d5fe0, oldPin=0x7ffffffed140 "", newPin=0x7ffffffecf40 "1", tokenRemoved=0x7ffffffecf18) at sftkpwd.c:1400
#9  0x00007ffffd6b7574 in NSC_SetPIN (hSession=16777220, pOldPin=0x8439c10 "", ulOldLen=0, pNewPin=0x8547170 "1", ulNewLen=1) at pkcs11.c:4119
#10 0x00007ffffe38daf7 in PK11_ChangePW (slot=0x84a9580, oldpw=0x8439c10 "", newpw=0x8547170 "1") at pk11auth.c:512
#11 0x000000000801b266 in SECU_ChangePW2 (slot=0x84a9580, oldPass=0x0, newPass=0x0, oldPwFile=0x0, newPwFile=0x0) at secutil.c:402
#12 0x000000000801641f in certutil_main (argc=4, argv=0x7ffffffed7a8, initialize=1) at certutil.c:3515
#13 0x0000000008017acc in main (argc=4, argv=0x7ffffffed7a8) at certutil.c:4035

It is looking for sig_cert_23b47603_ce5363b4 in the metadata table and cannot find it. Any ideas how to proceed?

(In reply to George Prekas from comment #25)

I am facing the same problem. I am trying to set the primary password for the first time and I get the same error message.

Hello George,

I ended up syncing my passwords online with Lockwise and used a brand new profile that did not have its password associated files corrupted.

In the process of migrating remaining bugs to the new severity system, the severity for this bug cannot be automatically determined. Please retriage this bug using the new severity system.

Severity: blocker → --

The severity field is not set for this bug.
:beurdouche, could you have a look please?

For more information, please visit auto_nag documentation.

Flags: needinfo?(bbeurdouche)
Status: UNCONFIRMED → RESOLVED
Closed: 2 years ago
Flags: needinfo?(bbeurdouche)
Resolution: --- → INACTIVE
You need to log in before you can comment on or make changes to this bug.