10

In the old days I would emphasize that people should not select the remember passwords option because (besides the fact you tend to forget what the browser remembers) a bad guy could display the password (if he knew how) and read it there, and then use it later.

These days the passwords can be encrypted using a master password, so the primary problem is gone.

So should I use the feature?

On the good side, it helps prevent phishing because it checks the domain name automatically.

Also, am I just imagining, or does it also make the attacker's job more difficult? (simple key-loggers are insufficient unless the Firefox data files are fetched as well)

Then on the bad side, if someone walked up to your computer just after you logged in to a gaming site, then they could probably pull up your banking password as your master password would still be in memory, would it not?

Either way, more in-depth attacks are equally capable of obtaining data regardless of which route you took?

  • Can you provide some guidance on how to decide whether to use the option, from a security standpoint?
Benoit Esnard
  • 13,979
  • 7
  • 65
  • 65
700 Software
  • 13,897
  • 3
  • 53
  • 82
  • It is also worth considering some other issues that you didn't raise, such as: if passwords are stored in the browser, what about: usability (for example, what about passwords for non-web purposes?) availability (for example, what if you switch to a different browser, machine, or Firefox profile?) In other words, even if the browser provides sufficient security, is this a good place to store your passwords? – jdigital Jan 06 '14 at 22:28
  • Short answer: I'd say it's mostly for ease of use, and it enables you to use much more unique passwords since you don't need to remember all passwords (be sure to backup Firefox' password database though!). I'd recommend using the master password and storing most passwords (not your bank login perhaps, but most sites should be no problem). – Luc Feb 06 '14 at 13:45
  • Also see this question: http://security.stackexchange.com/questions/120044/how-do-i-protect-my-passwords-from-webbrowserpassview/120293#120293 – Robert Mennell May 03 '16 at 16:17
  • guess this is more a question, just tossing it out there - if you kept PWs somewhere like a saved e-mail, and had your PWs hidden within the text, would copy/pasting them stop a keylogger from ever accessing them? –  May 03 '16 at 16:02
  • Only external hardware level key loggers. Software level key loggers are still granted access to your paste bin. This should also be another question entirely – Robert Mennell May 03 '16 at 16:20

5 Answers5

4

You have been very thorough in considering downsides and benefits.

Using master password in Firefox or other browser is usually acceptable compromise. Nevertheless, there is no care free approach for dealing with passwords. (Convenience vs. security.)

Earlier question How secure are my passwords in the hands of Firefox using a Master Password? gives some guidance it says: most likely secure, but I would not use.

My advice is opposite: if you cannot remember a lot of hard to remember passwords or passphrases, using browser to remember (and in some cases generate) your passwords can be a good compromise.

As far as banking goes: many banks use two factor authentication (such as ID, password + number from single use password list). I don't use banks/brokers/etc. which allow using them with just ID+password, as such authentication info get leaked too easily.

Anyway, if there are high security passwords, I would memorize them in my head.

Key logger

In case of key logger, master password does not fully protect against them, because key logger will then record master pass.

Passwords in your head

If you can remember unique password for each site you use, each password having very large amount of entropy, it is better than remembered passwords (except against key logger).

However, in practice, there is so many site passwords that it is almost impossible to pick very good passwords for each one of them.

Using key store

Key store allows you to use master password to store a lot of passwords. Instead of many good passwords, you need only one good password. This password is supposedly easier to remember as it is often needed. Because of less passwords to remember people afford to use more complex password as master password.

Synchronized passwords

Some applications like Firefox (and Safari and so on) allow you to synchronize your passwords between your devices. Such service is very convenient. Because the synchronization often goes through quite a few servers, all those who can see the traffic may try recovering your passwords. At least the parties who are able to break your master pass most likely get access to all your passwords.

user4982
  • 682
  • 3
  • 5
  • 1
    *"In case of key logger, master password does not really protect against them, because key logger will then record master pass."* What I meant was, it prevents the real password from getting leaked to the keylogger. The master password is not useful on its own unless the data files are captured. Granted, the keylogger could also get the data files, and everything else. Just speaking of simple keyloggers. – 700 Software Jan 06 '14 at 23:55
  • @GeorgeBailey: The wording was bad. I've fixed wording with s/really/fully/, without explaining further. However, sad fact is: whoever is able to get key logger to your device, the same party is likely to also get the data files, and thus acquire all passwords for price of one. – user4982 Jan 07 '14 at 06:46
2

A Firefox Master Password was a good feature introduced, it helps save time for typing every password on every website, as you pointed. There are data files to obtain that password, your saved passwords are encrypted with them.

In answer to your question about the password being in memory, it will stay in memory until you restart your firefox AFAIK, but, if someone tries to access your saved passwords even if it's already in memory, you would be prompted again as you can test, as far as accessing websites, yes, it would still give access if you have saved credentials in them, although there's no way in retrieving any passwords without the master password, that's why it was implemented.

Although it's a good feature, Personally i would recommend using LastPass.

It's a widely-known manager for storing and keeping your passwords "more secure", it has also plugins for different browsers including Firefox that i use. It also has generating "random-secured" passwords with different options and number of characters you'd like. In my opinion that's the safest way you can protect your passwords, and it's easy to setup. It has many features including one to scan your passwords and display how secure are they in a score board between 0 and 100, depending on multiple factors, and suggests how you can improve them.

As long as you protect your password for that site or use the other possible ways of authentication that it provides, including Fingerprint and Card Reader authentication, you must have reader devices of-course.

SomeNickName
  • 219
  • 1
  • 8
1

Master passwords and encrypting them on your computer further than what the OS already offer shows this is nothing more than security theater. Although it is convenient, it still leads to risky practices, and even worse makes it easier to forget your passwords.


The Actual Impact on Security

A great quote about why Chrome doesn't use a master password even though it already encrypts them in your user area:

A great post on it from Justin Schuh:

I'm the Chrome browser security tech lead, so it might help if I explain our reasoning here. The only strong permission boundary for your password storage is the OS user account. So, Chrome uses whatever encrypted storage the system provides to keep your passwords safe for a locked account. Beyond that, however, we've found that boundaries within the OS user account just aren't reliable, and are mostly just theater.

Consider the case of someone malicious getting access to your account. Said bad guy can dump all your session cookies, grab your history, install malicious extension to intercept all your browsing activity, or install OS user account level monitoring software. My point is that once the bad guy got access to your account the game was lost, because there are just too many vectors for him to get what he wants.

We've also been repeatedly asked why we don't just support a master password or something similar, even if we don't believe it works. We've debated it over and over again, but the conclusion we always come to is that we don't want to provide users with a false sense of security, and encourage risky behavior. We want to be very clear that when you grant someone access to your OS user account, that they can get at everything. Because in effect, that's really what they get.

This shows one thing: You're trying to protect your information at the wrong end of the chain. Make sure your OS and computer are safe. That will go miles further than encrypting your passwords in static storage on the same machine you use to browse the web.

If you want to store your passwords, store them encrypted in another machine that isn't connected to anything. That way if your system gets taken control of, you are still safe.

This is akin to saying just because I'm not an Admin I'm a safe user. No, you really aren't. Your preconceived notions are still wrong. Just because you think it is, doesn't mean it is.


The Downfall of the User

Okay you decide to go through with it anyways, and you've already got a nice list of the pros there in your question. Now let's look at the cons.

Cons

- Make it easier to forget your other passwords

You no longer have ot actually remember them, just a master password. Humans are animals of habit, and this habit will overwrite your good memory with bad habits.

- Propagates risky behavior and lazy thinking

This does not make your computer or web browser safe. AT ALL. It only gives a false sense of security, and helps to try and keep you from being phished. However the only real defense against phishing is to not get phished and to make sure you don't visit sites you don't trust.

- By the time someone could access your stored passwords, you've already loss

This really is just to emphasis what is said above. Seriously this does nothing to improve security.


How to avoid this and actually make sure your passwords are safe and recoverable:

On a non networked computer, make an encrypted file with a copy of your passwords in it and password protect it with a strong password. Then turn it off. Never use it for anything other than when you need to recover your passwords.

Robert Mennell
  • 6,978
  • 1
  • 14
  • 38
  • Comments are not for extended discussion; this conversation has been [moved to chat](http://chat.stackexchange.com/rooms/39314/discussion-on-answer-by-robert-mennell-if-i-use-a-good-master-password-in-firefo). – schroeder May 05 '16 at 05:10
1

TL;DR: Yes, it probably improves security, but you could do even better with a "real" password manager.

Long version:

Firefox's "remember password" combined with a master password is the equivalent of a cloud-based password manager with excellent browser integration, local encryption, and automatic sync, but lacking pretty much any other features. Here's why I say that:

Firefox Sync stores your passwords on Mozilla servers, but it does not store them in plaintext. They are encrypted locally using a key derived from your Firefox Sync password; the Mozilla servers never get the plaintext passwords. When you log into Firefox on another device, your encrypted passwords are downloaded, and decrypted locally. This is similar to popular cloud-based password managers like LastPass.

Since your passwords are encrypted locally before sending them to the server, Mozilla cannot access them. Thus, when you forget your Firefox Sync password, you lose any data stored on Mozilla's servers, so you'd better hope you still have a local copy. Again, this is consistent with any good password manager.

Where Firefox differs, is that its passwords are actually stored locally in unencrypted form by default. That's where the master password comes in. Like the sync password, the master password never reaches Mozilla; it is used only locally, to decrypt the local data for use. There are some concerns that the PBKDF used for the master password is not as strong as that used for the sync password, so it is potentially vulnerable to dictionary attack; but a strong, randomly-generated password or passphrase should make up for that.

The master password also encrypts saved Firefox Sync credentials, so you still only need to enter a single password to get access to all of the password manager features in Firefox, even though under the hood the Sync password is separate from the master password. However, this does mean you need to set up your master password separately on every device. The master password is not synced between devices, it is only used to encrypt the data locally. This makes Firefox's password manager features a little easier to screw up than dedicated apps.

Now, when I say it's equivalent to a cloud password manager, that means a few things:

Pros

  • You have an online backup of all your passwords
  • You can set up hundreds of accounts with unique, fully random, max-length passwords (and you don't need to remember them). You are less vulnerable to server breaches.
  • Your passwords will be automatically entered for you, but only when the website is actually the correct website. You are less vulnerable to phishing.
  • You can conveniently log in from any device where you can log into Firefox.
  • You can use Firefox on your mobile device to view your saved passwords, when you can't log into Firefox on the device you are using for some reason.

Cons

  • All your passwords can be compromised, if malware on your machine can capture your saved passwords and master password; or if it can access the memory of Firefox. While a key logger can certainly capture logins when you don't use a password manager, you are less likely to lose all of your passwords that way. Thus you are more vulnerable to malware on your computer. This is the "all your eggs in one basket" problem, so be sure to secure your basket with a very good master password.
  • Using hard-to-remember passwords (normally a good thing) means that you will probably become reliant on the saved passwords, which could leave you unable to log into devices you don't normally use.

One of the big things you point out, is that someone sitting down at your computer when you step away, could view your saved passwords still, if you leave yourself logged into Firefox with your master password. This is a shortcoming most password managers can mitigate with a timeout period that locks the password database. There are extensions for Firefox that can do the same thing.

So, should you use it?

That's really up to you, but I (and people smarter than me) certainly recommend using a password manager. I prefer a more fully-featured password manager (specifically, KeePass) but a properly configured Firefox with a strong master password and a strong sync password should do the job. If the choice is between Firefox with a master password, vs. no password manager at all, I think you should go with Firefox. It encrypts all the data in smart ways that prevent anyone (including Mozilla!) from getting it in case of a stolen device or server breach, yet still provides the convenience needed to create and use strong passwords everywhere with very little effort.

But really, I think features you can get from "real" password managers, like strong password generation, non-browser passwords, secure storage of non-password data, linking sites together that share credentials, multi-browser support, etc. are worth trying out if you're willing to step outside of the browser.

Ben
  • 3,896
  • 1
  • 10
  • 22
0

It's a trade-off. You defend against phishing attacks, but you lose against physical or software attackers.

Just be aware that Firefox comes with everything the attacker needs. You must remain vigilant about the physical security of your computer.

For a simple proof, go to any login prompt with a saved password field. I'd recommend looking at your bookmarks, and trying to find one named "My Bank". Click the username field, then pick the top listed entry. The password should auto-fill with asterisks or dots. Right click on the password and pick "Inspect Element". In the inspector window, locate the type="password" attribute, highlight it, then hit delete. Press enter, and the password is revealed in the browser.

Just remember, if your computer isn't locked, any high school kid can probably do this.

John Deters
  • 33,897
  • 3
  • 58
  • 112
  • Please limit the answer to items that change between Remembering Passwords With Master Password and Entering The Password Manually Each Time. – 700 Software Jan 06 '14 at 23:58
  • *"lose against physical or software attackers"* I don't see how this relates. Where does it become easier to attack when I use encrypted password memory? *"simple spoof...saved password field"* That wouldn't work on Master Password Protected memory. – 700 Software Jan 07 '14 at 00:00
  • Physical access to Firefox, once youve entered the master password, allows unrestricted access to your saved passwords, regardless whether you use encryption or not. – John Deters Jan 07 '14 at 00:24