Password Manager protection Security Flaw?
I am very surprised and somewhat disappointed that the Password manager protection does not sync across devices. I refer to thread:"Firefox Primary Password is different on my 2 PC's" in the archived Q&A section.
I love the Password manager and this is my main source to keep track of the 1000's of passwords we have to have to operate nowadays and they are easily accessible. It was always my issue that I felt they were very vulnerable as I had not turned on the Password protection due to bad past experience with not properly understanding the feature at first and being locked out of all my passwords or so it felt. I have now re-established this option and feel more secure(maybe foolishly). But, I believe there is a serious security flaw in Mozilla. I can understand that you offer the option to have different password on a per device basis. However I feel the implementation of this is very dangerous and can inadvertently expose all my passwords without my consent.
When I opened my new computer, I did set-up Firefox as my primary browser and enabled Syncing data. I made the foolish assumption that Syncing my password would offer me the same protection as the one I have on my main PC. I was surprised not to be asked for my main password when opening the browser nor do I recall been asked to set-up one new one for the new machine.
If my profile says that I want my passwords to be protected, I would at minima force the same default on any new browser install and require either authorization and / or verification from the original or another previously registered device before sharing the passwords. Passwords should be protected by default as defined i my profile. Otherwise, if my Firefox account is compromised, I will automatically expose all my passwords to anyone.
I do not recall, because I do not install Firefox everyday, but on my Android device, I was not asked whether I wanted to protect my passwords or not. They were by default or so it felt. Yes, they do not use my main password, they rely on my bio-metric info. So, there is a basic layer of protection. Why not in Windows?
Your thoughts?
Alle Antworten (3)
You can possibly flip this pref to true in about:config.
- signon.management.page.os-auth.enabled
Note that using Biometrics like Windows Hello/PIN instead of the Primary Password to protect the logins is less secure as it doesn't encrypt the logins stored in logins.json like the Primary Password does and having access to logins.json and key4.db and place them in a Firefox profile is sufficient to inspect the logins. Using Biometrics is merely to make it harder to access/view passwords in the Password Manager, but Firefox will still be able to fill a login on a webpage without asking. This is also the case if you unlock the passwords via the Primary Password during a session.
Firefox does support OS Authentication feature, but it hasn't been enabled.
Hi Cor-el, I am not understanding: signon.management.page.os-auth.enabled.
But my point is similar to the 2018 thread "Firefox password manager sync between PC and android 8.0 reveals passwords on synced android 8.0 without ever entering master password for ffx on android device" made by Bo15ffx. 6 years later, I feel, the same security risk still exist... or did I miss something??
Point noted about the lack of local encryption when only using the Biometrics only in Android. This makes the loophole even bigger.
If in my profile I ask to have the data Encrypted, I means it should be encrypted on all my devices by default. Therefore a key should be required on every device. Better if they are independent.
I think that a local primary password is intended to be just that: a way to protect locally-saved passwords on a device.
It is not intended to protect the passwords that are saved on the sync server (your Mozilla / Sync account password does that), nor is it intended to protect the passwords saved locally on other devices (their own local primary passwords do that).
You could perhaps argue that if a local primary password has been set up on one sync-connected device, then Firefox should check all newly connected devices and emphasise that their own local primary password be set up.
I don't claim to know, but Perhaps though the thinking is that this isn't a security issue as such because the passwords would only first appear on a new device if the correct Mozilla account credentials were entered. And anyone who has incorrectly assumed that their PP has followed them to the new device and has been quietly enabled in the background, would generally discover the truth very quickly?
I would personally prefer to be prompted to set up a PP before any passwords get saved locally. Apart from anything else, if the passwords are saved locally then a PP later added, then this means that the master key for your passwords got saved unencrypted to disk. And could theoretically be recovered with the right tools.