Passwords are not secure with master password
I'm cross-posting this in the desktop version forums since it applies for both mobile and desktop.
I really don't understand what is the logic behind the way the password manager was implemented, and it's a major no-go for me. The purpose of a master password should be that it is asked EACH time you try to show the passwords in plain text (in the settings), not once per session (which is also very annoying since the purpose of the password manager is to prevent you from having to enter passwords).
In other words:
If I enter my master password but leave the computer turned on or my cell phone on the table without closing Firefox (which most people do), then someone can go to my setting and have a plain text version of all my passwords instantly, which is pretty bad. The other thing is that while I understand that SOME people might want to enter their master password once per session, most people don't care about this and find this actually annoying and this should be optional. This is actually beating the purpose of the password manager which is NOT to have to enter any password. They are masked, and I do not care if someone opens my browser and views my facebook. What I really care about however is that they shouldn't be able to go to my settings and have an easy access to all my passwords in plain text!
So having to enter your password every session should be an option, while having to enter your password should be mandatory each time you open the password manager itself (or at least optional!). What a major security flaw for a browser that prides itself on privacy...
Solution choisie
I have found a solution to my problem : an open source software for managing passwords that integrates seamlessly with Firefox and offers cloud sync on multiple platforms, it's called BitWarden. I'll use this instead and turn off password managing in Firefox, and keep using Firefox sync to sync my other data.
Lire cette réponse dans son contexte 👍 0Toutes les réponses (20)
If you enter the master password then you log in to the software security device and unlock the passwords. Firefox asks for the MP if you click the button to show the passwords, but that isn't really necessary because Firefox can for instance fill the passwords in a form on websites. You can cancel the prompt to supply the MP to logout of the software security device and disable the Password Manager. You can see the state if you click security devices and select software security device.
Thank you for talking the time to reply. I'm not certain I understand your answer. What do you mean by "you log in to the software security device"? as well as "if you click security device" What device? I don't see this anywhere.
Also, the problem is actually worse with the desktop version, as Firefox is asking my password for practically every page I load if I keep clicking "cancel" on every prompt.
Suggest you do not use Master Password or at this time any Password Manager https://www.howtogeek.com/338209/you-should-turn-off-autofill-in-your-password-manager/
Thank you for the advice, but I'm not worrying about these kind of attacks personnaly I only use my password managers on websites I trust and that are well established (which are also the ones I log onto the most).
I noticed that the mobile version and desktop behave differently, and that the desktop version will at least ask for your master password every time you try to view your passwords in plain text, whether you have already entered it on that session or not. But The fact that it's constantly asking for your master password each time you load a page even if you click cancel is beyond anoying. Where can I take my feedback to the devs?
Hi, you can do that : To submit suggestions for new or changed features, may I suggest: Feedback: https://qsurvey.mozilla.com/s3/FirefoxInput/ or https://discourse.mozilla.org/c/add-ons If you have a bug, file a bug report. https://bugzilla.mozilla.org/ Bug Writing Guidelines : https://developer.mozilla.org/en-US/docs/Mozilla/QA/Bug_writing_guidelines
Does not cure the issue though.
Vilko L said
The fact that it's constantly asking for your master password each time you load a page even if you click cancel is beyond anoying. Where can I take my feedback to the devs?
If you have a login saved for the page, Firefox will want to fill the form, and if you haven't entered the master password, Firefox will ask you for it. Why do you keep canceling? Maybe you should delete the logins for sites where you don't plan to have Firefox fill them, or turn the password manager off when you're not using it (on the Options page, uncheck "Remember logins and passwords for websites").
@Pkshadow thanks, I will definitely do that.
@jscher2000 Thank you for replying. It is asking for my master password even on pages where I am already logged in! (session kept active with a cookie for instance). It will nag me for my master password until I enter it, no matter what.
But even if it didn't, my point is that a master password should be necessary only to view plain text passwords. I shouldn't even have to enter it once per session in order to autofill my passwords. Chrome doesn't ask for your master password when autofilling. You only need to enter your Windows session password (which acts as your master password) to view the passwords in the password manager. Why can't Firefox do that?
@cor-el Yes, I was using sync (I turned off the password manager for now because of the state it is in, especially on Android), but I fail to see how this is relevant to my original post, sorry.
Sync uses the Password Manager to store the credentials, so that would explain the dialog to enter the MP if you aren't logged in to Sync yet. If you would connect to Sync or explicitly disconnect Sync then you won't get these MP prompts unless it is triggered by a form on the web page (you have saved login data).
@cor-el But I was logged into sync all the while. Or do you mean that if I am using sync, I must enter my master password on every session so it can sync them?
You need to login to Sync at the start of every Firefox session because otherwise Sync will ask for the MP every time Sync wants to connect to the Sync server to upload changes (synced tabs, history, bookmarks and other engines that are enabled).
cor-el said
You need to login to Sync at the start of every Firefox session because otherwise Sync will ask for the MP every time Sync wants to connect to the Sync server to upload changes (synced tabs, history, bookmarks and other engines that are enabled).
@cor-el thanks, that is indeed the issue. This is really unfortunate, because I would love to use sync, but I don't want to enter my master password every time I open Firefox. I open and close my browser multiple times a day. I really wish Firefox would only ask a master password to VIEW password text only, or would simply use your windows session password, like Chrome does. Anyone knows an extension that does that?
Pkshadow said
https://nakedsecurity.sophos.com/2018/03/20/nine-years-on-firefoxs-master-password-is-still-insecure/
Thank you for this article. The suggestion given, Lockbox, seems promising, but at the moment doesn't support autofill. The other extensions I know for Firefox aren't open-source and I'm not sure I trust proprietary software to manage my most personal information. So I guess I'll enter my passwords manually for now.
Vilko L said
Pkshadow saidhttps://nakedsecurity.sophos.com/2018/03/20/nine-years-on-firefoxs-master-password-is-still-insecure/Thank you for this article. The suggestion given, Lockbox, seems promising, but at the moment doesn't support autofill. The other extensions I know for Firefox aren't open-source and I'm not sure I trust proprietary software to manage my most personal information. So I guess I'll enter my passwords manually for now.
Welcome, please Mark the Question as Solved with the Solution (yours)
Well as much as everyone has been very helpful with their answer, my problem remains : I was looking for a way to manage passwords which does not require me to enter a master password each time but only if I want to view them. There doesn't seem to be a way to do this at the moment, therefore my problem is not solved.
Vilko L said
I really wish Firefox would only ask a master password to VIEW password text only, or would simply use your windows session password, like Chrome does.
Firefox itself cannot read the stored passwords without the Master Password. So it would not be able to use the stored passwords to sign into Sync or websites if you do not enter it.
I think you will need to consider a third party password manager.
Modifié le
jscher2000 said
Firefox itself cannot read the stored passwords without the Master Password. So it would not be able to use the stored passwords to sign into Sync or websites if you do not enter it. I think you will need to consider a third party password manager.
As I said in the previous posts, all the extensions I found are proprietary or do not support autofill. I will wait for autofill to be supported by Lockbox and in the meantime will enter my password manually, unless someone knows of a reputable open source extension that supports autofill (one that behaves like Chrome password manager does). If I find any I will post it here and mark my question as solved.
Solution choisie
I have found a solution to my problem : an open source software for managing passwords that integrates seamlessly with Firefox and offers cloud sync on multiple platforms, it's called BitWarden. I'll use this instead and turn off password managing in Firefox, and keep using Firefox sync to sync my other data.