Usability issues and security concerns regarding password sync with a master password
I setup up password sync with my desktop installations and observe the following behaviours which raise major questions for me:
- Desktop passwords do not appear at all
- Deleting the private data via Android does not clear the sync, but drops master password
- Retrieving saved passwords for mobile login sites
Desktop passwords do not appear at all
I'm not sure if this is due to different page URLs for the mobile login pages. But even when I go to the desktop pages I only see the usernames but the passwords stay blank. Even worse: I did not find any means to check if and which passwords at all are available on the device
Deleting the private data via Android does not clear the sync, but drops master password
After clearing/removing the stored data via Android, Firefox appears clean & vanilla but the Sync links seems still in operation but now without any master password!
I'm not sure if the Firefox UI is fooling me here, because it reports successful password synchronization after that. For me it appears, that this way a adversary would have easy way to circumvent any master password as soon as he has has physical access to my device.
Retrieving saved passwords for mobile login sites
On the desktop version on a regular basis I need to copy existing passwords into modified website forms. Therefore I use the saved password dialog to reveal and paste existing passwords. How would I do that when I'm on the road?
So - how do people use this feature successfully and safely at all?
Wót frucade
Wubrane rozwězanje
hello, it's a known issue that syncing of passwords won't work on android # when a master password is used (see bug 711636 & bug 780463). there's currently work going on for a successor of sync, so i'm fairly certain that this isn't something that will be fixed in the current system.
you're right that clearing all firefox data via android will also get rid of the master password - this is also the officially recommended way to reset the mastwer pw when you forget it: Using Master Password on Firefox for Android - so together with your first observation i'd recommend the following: disable master password, set up the sync account between desktop & android and let all contents sync, enable the master password on android afterwards, in the desktop sync options disable the syncing of passwords afterwards, so you'd have at least a snapshot of your passwords on your phone. you'd have to repeat these steps whenever you have a new patch of passwords you want to bring on the same level between the two devices...
i'm not aware of a way to access all stored usernames & passwords on firefox on android. the only thing that's possible with this extension is to expose single passwords on pages where it is autofilled by long pressing on the ●●●s.
Toś to wótegrono w konteksće cytaś 👍 5Wšykne wótegrona (5)
Wubrane rozwězanje
hello, it's a known issue that syncing of passwords won't work on android # when a master password is used (see bug 711636 & bug 780463). there's currently work going on for a successor of sync, so i'm fairly certain that this isn't something that will be fixed in the current system.
you're right that clearing all firefox data via android will also get rid of the master password - this is also the officially recommended way to reset the mastwer pw when you forget it: Using Master Password on Firefox for Android - so together with your first observation i'd recommend the following: disable master password, set up the sync account between desktop & android and let all contents sync, enable the master password on android afterwards, in the desktop sync options disable the syncing of passwords afterwards, so you'd have at least a snapshot of your passwords on your phone. you'd have to repeat these steps whenever you have a new patch of passwords you want to bring on the same level between the two devices...
i'm not aware of a way to access all stored usernames & passwords on firefox on android. the only thing that's possible with this extension is to expose single passwords on pages where it is autofilled by long pressing on the ●●●s.
Thank you philipp for you extensive and very helpful answer!
clearing all firefox data via android will also get rid of the master password - this is also the officially recommended way to reset the master pw when you forget it
I'm really hope I do misunderstand something here.
Otherwise the whole master password seems somewhat very clueless to me: If a thief or an adversary gets physical access to my phone, all he needs to to is clear data to get access to all my passwords without the need to know my master password?
ok, just to make it clear: clearing the firefox data through the android settings will get rid of the master password AND all stored passwords. but as you've discovered the sync account apparently remains and stays active, so through this channel the passwords might get onto the device again. that's why i've suggested the "workaround" to disable synchronizing of passwords in the firefox options after the initial pairing in order to avoid that flaw.
if you want you could also file a bug for the issue at bugzilla.mozilla.org, though i'm not sure if something can be done about the situation or if the persistence of the sync account is something that is dictated by the android framework.
Thank you for your clarifications, philipp!
In the first run I misunderstood your workaround as the general workaround to get the passwords into the secured store on the device at all.
If disabling the sync process also purges the decryption credentials it's indeed a viable workaround.
It would be nice if you put up a more prominent notice, both on the "how to setup mobile sync" and in the Android apps that said something about this bug. I managed to find one sentence under "master password".
Even if you don't or can't fix it, at least you can put better warnings out about it.