What is the default protection of saved logins in Firefox?
The following support page: https://support.mozilla.org/en-US/kb/password-manager-remember-delete-change-and-import#w_protecting-your-passwords says that "Even though the Password Manager stores your usernames and passwords on your hard drive in an encrypted format, someone with access to your computer can still see or use them." So by default there is NO password protection of my saved logins. I tried to copy key4.db and logins.json to a new profile - and got them available! So what's the point of encryption then? Also can these files be read (unencrypted) outside of Firefox?
Modified
Chosen solution
The passwords stored in logins.json are encrypted, but the encryption key is stored in key4.db (previously in key3.db) and without a master password you merely need to place the two files is Firefox profile folder to see the passwords in the Password Manager.
The usernames and passwords are encrypted with triple-DES stored in the key file, but the MP adds an extra layer.
Read this answer in context 👍 1All Replies (9)
A slight error. That should read access to your computer user account. If you want added protection, you can use the Master Password option.
https://support.mozilla.org/en-US/kb/use-master-password-protect-stored-logins Use a Master Password to protect stored logins and passwords
Separate Security Issue: Update your Flash Player or remove it using these links; http://helpx.adobe.com/flash-player/kb/uninstall-flash-player-windows.html Uninstall Flash Player | Windows http://helpx.adobe.com/flash-player/kb/uninstall-flash-player-mac-os.html Uninstall Flash Player | Mac
Note: Windows users should download the ActiveX for Internet Explorer. and the plugin for Plugin-based browsers (like Firefox).
Note: Windows 8 and Windows 10 have built-in flash players and Adobe will cause a conflict. Install the plugin only. Not the ActiveX.
Flash Player Version: Version 29.0.0.113
https://get.adobe.com/flashplayer/ Direct link scans current system and browser Note: Other software is offered in the download. <Windows Only>
https://get.adobe.com/flashplayer/otherversions/ Step 1: Select Operating System Step 2: Select A Version (Firefox, Win IE . . . .) Note: Other software is offered in the download. <Windows Only> +++++++++++++++++++ See if there are updates for your graphics drivers https://support.mozilla.org/en-US/kb/upgrade-graphics-drivers-use-hardware-acceleration
FredMcD said
A slight error. That should read access to your computer user account. If you want added protection, you can use the Master Password option. https://support.mozilla.org/en-US/kb/use-master-password-protect-stored-logins Use a Master Password to protect stored logins and passwords
I know about the Master Password. I want to know what's the point of encryption, and what does it protect me from? Basically I want to understand what is the default protection of saved logins in Firefox....
Someone with personal access to your user accont can do much more worse things than only read your passwords.
TyDraniu said
Someone with personal access to your user accont can do much more worse things than only read your passwords.
Wow!
Only the question is absolutely different.. If you don't like the wording, go ahead and edit the article.
I did submit an edit.
Assuming that key4.db and logins.json files got accessed by a wrong person (no matter how: via physical access to a logged in computer, via malware, or from a flash drive with a backup copy of Firefox profile folder), will they be able to read the contents of the files? If yes, what's the point of encryption then? And finally, again, if yes, why isn't Master Password used by default?
(I tried to copy these files to a different Firefox profile of the same user, and also of a different user, and both times I was able to read them from Firefox.
Chosen Solution
The passwords stored in logins.json are encrypted, but the encryption key is stored in key4.db (previously in key3.db) and without a master password you merely need to place the two files is Firefox profile folder to see the passwords in the Password Manager.
The usernames and passwords are encrypted with triple-DES stored in the key file, but the MP adds an extra layer.
Thank you very much for a detailed explanation