Search Support

Avoid support scams. We will never ask you to call or text a phone number or share personal information. Please report suspicious activity using the “Report Abuse” option.

Learn More

If I disable my master password and enable sync of my passwords, how are they encrypted? What is my encryption key?

  • 10 replies
  • 4 have this problem
  • 13 views
  • Last reply by cor-el

more options

In the new sync feature I can select passwords to be synced but then I need to disable my master password.

How exactly are my passwords stored and encrypted when I sync them? I want to be in control of the encryption key that encrypts my passwords. I don't feel that the security solution for storing my passwords in the sync solution has been adequately explained to me.

I'm considering getting lastpass instead.

Regards, Daniel Hegner

In the new sync feature I can select passwords to be synced but then I need to disable my master password. How exactly are my passwords stored and encrypted when I sync them? I want to be in control of the encryption key that encrypts my passwords. I don't feel that the security solution for storing my passwords in the sync solution has been adequately explained to me. I'm considering getting lastpass instead. Regards, Daniel Hegner

All Replies (10)

more options

I am not sure we have fully documented this properly.

I will tag this question as escalate. That will bring it to the attention of the other contributors and the HelpDesk staff, but be aware it could be two or three days before HelpDesk staff get round to answering. Meanwhile see a previous post of mine that partly explains the situation and links to what documentation I can find.

more options

Hi da9l,

Thank you for escalating this John99. After reading the documentation of the blog post. The new sync encrypts the key with

https://github.com/mozilla/fxa-auth-s.../onepw-protocol

  • "On the server, code should get entropy from /dev/urandom via a function that uses it, like "crypto.randomBytes()" in node.js or "os.urandom()" in python."
  • " HKDF-based stream cipher is used to protect the contents of some requests."
  • options.payload = true is recommended

Right now the master password and sync password are not synced https://bugzilla.mozilla.org/show_bug.cgi?id=995268

This discussion is also taking place for more info see Brian Warner's blog post on the old and new sync

To address this https://bugzilla.mozilla.org/show_bug.cgi?id=973759, however it is in backlog so I recommend not syncing passwords for now unless you change the sync password often.

Modified by guigs

more options
more options

Thanks cor-el & guigs2

Interesting blog & Github articles. I look forward to the 2nd blog article.

more options

Well I now understand that my bookmarks and passwords are securly stored at the mozilla servers but my concern now is that they can no longer be stored securly when in rest at my devices if I want sync to work.

Making it impossible to sync passwords that has been encrypted by a master password breaks one of FF's top selling points IMHO.

My suggestion is that the sync password and the master password are merged into the one and same with the option to ask for it every time the user starts the browser.

That would enable secure storage of the passwords both in transit and at rest in each synced device and re-enable one of FF's top unique selling points IMHO.

Regards, Daniel Hegner

Modified by da9l

more options
more options

I've looked through all the posts on this topic and none of them have explained why the new sync has required us to make our passwords insecure on our computers.

I'm sure someone must have decided this was good idea - please let the rest of us know why and what the logic was.

more options

Unfortunately the master password system and the sync of passwords are separate and incompatible systems.

The Master password System is relatively low security. There is a possibility that either the Master Password system or Sync may be modified at some future date to address this issue.

Possibly you may wish to investigate the use of some third party solution. Possibly the 'LastPass addon.

more options

The second blog; mentioned upthread; is now available

more options

Note that if you are connected to Sync that the data to connect to your Firefox Account is stored in the signedInUser.json file in the Firefox profile folder (if you disconnect then this data is removed).

Bug 970167 - disable password sync when master password is enabled Bug 909967 - Firefox Account Signed-in User module