Firefox Encrypted Login Entry
Detects Firefox logins.json encrypted password entries in the JSON format used by Firefox's NSS (Network Security Services) credential store. Mirrors Snaffler rule KeepFFRegexRed.
- Type
- regex
- Engine
- boost_regex
- Confidence
- high
- Confidence justification
- High confidence: the encryptedPassword JSON key combined with the base64 value constraint is highly specific to Firefox logins.json. The field name is not used in other common credential formats.
- Jurisdictions
- global
- Regulations
- Criminal Code Act 1995 (Cth)
- Frameworks
- CIS Controls, ISO 27001, NIST CSF
- Data categories
- credentials
- Scope
- specific
- Platform compatibility
- Purview: Compatible, GCP DLP: Compatible, Macie: Compatible, Zscaler: Compatible, Palo Alto: Compatible, Netskope: Compatible
Pattern
"encryptedPassword"\s*:\s*"[A-Za-z0-9+/=]{16,}"Corroborative evidence keywords
encryptedUsername, formSubmitURL, guid, timeCreated
Proximity: 300 characters
Should match
{"encryptedUsername":"MDIEEPgAAA==","encryptedPassword":"MFoECNQ3Mk7Yo7yEECabcdefghijklmnop","guid":"{abc}"}— Firefox logins.json entry"encryptedPassword":"AQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA="— Long base64 Firefox password"encryptedPassword":"MDoEEPgAAAAAAAAAAAAAAAAAAAEwFDAN"— Typical NSS-encrypted value"encryptedPassword" : "MFoECNQ3Mk7+Yo7yEECabcdefghij1234=="— encryptedPassword with spaces around JSON colon (Snaffler parity)
Should not match
"encryptedPassword":""— Empty value, under 16 chars"password":"hunter2"— Plaintext field name, not encryptedPassword
Known false positives
- Security research or malware analysis reports that quote Firefox logins.json content as examples without actual stolen credentials. Mitigation: Require proximity to additional logins.json fields (encryptedUsername, formSubmitURL, guid) to confirm file context.
- Backup or archive files containing encrypted Firefox profiles that are legitimately owned by the user. Mitigation: Scope detection to unexpected locations such as email attachments, cloud storage, or code repositories rather than standard browser profile paths.