Password Manager (Lack of) Security
I have appreciated Firefox for many years, so long in fact that I no longer have access to the email address that I signed up with. I have had no reason to access my account so I did not realise that it was out of date. I was accessing my account to check that I had two-factor protection and since I could not access the account I decided to create a new account and used the help pages to move my profile to the new account. I was able move my profile and access all my bookmarks and PASSWORDS! I simply uninstalled Firefox, moved my profile to another location, downloaded Firefox and copied the old profile over the newly created profile. I opened Firefox and could open the password manager and see all my passwords. I could not believe how easily I could access all the sensitive information. I needed no password - just access to the profile. This profile will be saved on any computer that I have used to log into Firefox. Anyone with access to those computers could easily repeat what I was able to do. This is a serious secuirty flaw and I simply can't believe I was able to do this!!!!!
All Replies (4)
Since you lost the login to the Sync account email there's nothing Firefox forum user can do to help as sync follows the password any changes means sync data is wipe clean from previous sync data. When your on your own device/computer those data stays nothing changes unless you sync email then anything previous on other sync devices login will update to match the main system where the sync data comes from. What your confusing is not the same thing here. Your data is local and anyone with access to computer will see all your data. Login and local data are two different animals. Firefox has nothing to do with your computer security other then their Browser security and how secure their Browser is when it access online site or apps. That security is up to you to maintain and protect.
Thank you for taking the time to read the post. I am not looking for a solution but wanted to give feedback on what I consider to be a very serious flaw in the security of passwords stored in a Firefox account. To access the same information in Chrome requries the user to enter a password and with 2 factor secuirty it is reasonably secure. I have never stored any sensitive passwords in a password manager, so it is not a big deal to me personally. But I am still shcoked at how easy it was to access all the passwords when I really only looking to keep the bookmarks. It is is easy to see that another user could spread their password details around multiple computers and have no idea how easy it is gain access. All I wanted to do was give feedback so that the flaw could be tightened up, a post seemed to be only way to rasie a concern. And I do think that it is browswer secuirty that is the problem.
Interesting. I've just fired-up Chrome and for all that I can't see a page listing all my passwords I can search for one for a particular site and view it or download an open csv file containing them all without having to enter a password. That therefore seems no more secure than Firefox.
If somebody gets physical possession of your computer they could use your passwords even if they couldn't see what they are. If you want it so locked-up that you need a password to use a stored password there's no point storing it in the first place.
When you set-up sync you can choose what to include and if Bookmarks are all you want un-tick everything else.
Modified
You can use the Primary Password to protect your logins stored in the profile folder. Without the PP you can simple access/view all passwords if you place logins.json and key4.db in a Firefox profile folder.
Note that the PP is only used locally, if you use Sync then the logins are encrypted with a key derived from the Mozilla Account password.