As a follow-up to another question, is the encryption via Firefox' master password more secure than simply NTFS encrypting the profile folder? I.e. is there a convincing reason to add the inconvenience of another password whereas NTFS encryption is coupled to my Windows login?
-
Related: [How secure is NTFS encryption?](http://security.stackexchange.com/q/8307/3272) – Tobias Kienzler Oct 16 '12 at 13:30
-
Related: [How secure are my passwords in the hands of Firefox using a Master Password?](http://security.stackexchange.com/q/408/3272) – Tobias Kienzler Oct 16 '12 at 13:54
3 Answers
You're protecting two different things. NTFS only provides storage protection. The Firefox master password provides protection in terms of storage, and up to the point of use.
Once in use, your filesystem will be decrypted for any application you're running. In contrast, the FF-based encryption will give access to your private key only to FF when it's running. Provided that the memory used by distinct applications is properly isolated by the OS, other applications won't have access to it.
If your machine is compromised with a keylogger or something similar, neither approaches help much, but the FF master password should at least protect your from "semi-trustable" applications: those that don't take control of your system, but can at least read what they like on your filesystem, while you're logged on. Of course, this depends on which applications your run.
In addition, assuming that you leave your seat without locking your machine, while another user could make use of that certificate and private key here and there if you've also left FF running, they wouldn't be able to export a copy of it without having to enter your master password when exporting (even if you've already typed in your master password for FF to use, it's a different thing), whereas they could easily copy/export these files when there's no master password.
- 10,875
- 1
- 39
- 61
-
That's a good point, I didn't think about having to trust all other applications... So I really should cope with the additional password :-/ – Tobias Kienzler Oct 16 '12 at 16:45
-
Most likely what I would have answered: Use both, a master password to protect the file being decoded easily, and filesystem encryption to prevent stealing the file when someone powers up the machine. Of course you need strong passwords for a realistic protection for both. In addition you could use KeePass to protect "more valuable" accounts (while using "everyday accounts" with the password manager of FIrefox). – U. Windl Jul 11 '19 at 06:37
I'd say it's equally secure. If you forget to lock your computer when you go away someone could access that folder because it will not be encrypted anymore. However if you forget to lock your computer you might leave your browser opened as well after you introduced the master password.
If your system gets compromized (for instance remote access by exploitation) then neither will save you as an attacker could install a keylogger and get it that way.
- 54,229
- 17
- 113
- 196
I recommend you to use a Password manager like Keepass : http://keepass.info/
KeePass is a free open source password manager, which helps you to manage your passwords in a secure way. You can put all your passwords in one database, which is locked with one master key or a key file. So you only have to remember one single master password or select the key file to unlock the whole database. The databases are encrypted using the best and most secure encryption algorithms currently known (AES and Twofish).
- 1,193
- 6
- 16
-
2That's how I actually secure my passwords, but Firefox/Thunderbird also store SSL certificates, which Keepass can't take care of. – Tobias Kienzler Oct 17 '12 at 14:59
-
Since I dropped using that SSL certificate, I'm purely using Keepass + [Keefox](http://keefox.org/), so you get the checkmark now – Tobias Kienzler Feb 05 '13 at 06:31