Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!

A note of caution on Firefox's storage of passwords Web Browsers
Here's a general warning for Firefox users: Saved passwords are not safe if you do not create a master password. If you use Firefox and you want to see for yourself, go to Firefox's Preferences, visit the Security tab, and press the Show Passwords button. This will show all your passwords in plain text for anyone to see.

You can enable a password to protect this (check the Use a master password box, then enter a password), and you will then have to use the password once per session to unlock all the other passwords being stored. This affects both the PC and Mac versions of Firefox.

Why this matters: If you bring your Mac in for repair, anyone working there can see all your passwords by simply launching your browser. Your password my be your Social Security Number at some sites, such as banks or mortgage companies. Ergo, your financial information would be available to anyone who wanted it.

So if you use Firefox, add a master password to give yourself some level of protection.

[robg adds: Safari, Camino and OmniWeb all use the Keychain to store passwords, so this is exclusively a Firefox issue. On the overall scheme of exposures, I don't think it's a huge one -- your machine should be locked if you're away from it and others have access to it. However, it is a concern when sending a machine back for service, or in any other situation where others may be using it without your supervision. Speaking of sending machines in for service, you might want to read this hint if you're concerned about security during the service period.]
    •    
  • Currently 3.60 / 5
  You rated: 4 / 5 (5 votes cast)
 
[16,189 views]  

A note of caution on Firefox's storage of passwords | 19 comments | Create New Account
Click here to return to the 'A note of caution on Firefox's storage of passwords' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
A note of caution on Firefox's storage of passwords
Authored by: alani on Jan 24, '07 07:49:31AM

I might disagree with Rob on this one. It seems like a much bigger problem than passwords stored in Keychain.

While passwords on a computer can be overridden by someone with physical access, I don't think passwords can (in general) be displayed -- they're stored as encrypted strings. Am I mistaken?

This problem is further aggravated by remote back-ups. I back up my Firefox profile to a couple different places that are probably less secure than my Mac. Can anyone grab those copies and spy my passwords?



[ Reply to This | # ]
A note of caution on Firefox's storage of passwords
Authored by: johnsonua on Jan 24, '07 10:51:38AM

Firefox *stores* the passwords (master password or not) in encrypted form. The issue is the display of the passwords within the program, and this is a good, common sense tip.



[ Reply to This | # ]
A note of caution on Firefox's storage of passwords
Authored by: Brock Lee on Jan 24, '07 12:59:03PM

But if I'm reading the initial post correctly, it can be automatically unencrypted without the user having to provide a password. This can only be possible if the key is known or can be easily derived. And if that's the case, this "encryption" is not worthy of minimal security.



[ Reply to This | # ]
A note of caution on Firefox's storage of passwords
Authored by: JBoivin on Jan 24, '07 08:09:10AM

Anyway, I think you should never save the passwod for your bank account or any sensitive site like that. Even with the Keychain, it can be retrieved, so...

I do save password for sites (like MacOSXHints, for instance), but would never do it for my bank or Paypal, for example.



[ Reply to This | # ]
A note of caution on Firefox's storage of passwords
Authored by: Brock Lee on Jan 24, '07 12:55:25PM

What do you mean that even using OS X's Keychain, passowords can be retrieved? The Keychain is encrypted, is it not?



[ Reply to This | # ]
A note of caution on Firefox's storage of passwords
Authored by: adrianm on Jan 24, '07 08:17:07AM

This has long been a gripe of mine with firefox, and a reason why I never use it for anything involving privacy or money.

Even if you do set a master password, if you want to look up a password, firefox helpfully shows _all_ of them at once (I was horrified the first time I saw this), so anyone watching over your shoulder will see them.



---
~/.sig: not found



[ Reply to This | # ]
A note of caution on Firefox's storage of passwords
Authored by: nmerriam on Jan 24, '07 08:18:19AM

Good lord, this is the single worst security decision I've seen in Firefox. Being able to just show every password and username in plain text is ridiculous! It's one thing to autocomplete and know that someone with physical access to a machine can log on to an account from that system, it's another to show what the actual password used is (since I think the vast majority of people use a few passwords) and let the person see whatever pattern or phrases the user likes to create passwords with.



[ Reply to This | # ]
No worse than auto-fill
Authored by: stewby on Jan 24, '07 10:12:56AM

Auto-fill and display are exactly the same level of security. Javascript can read the value of password fields, which means that if someone visits a page that auto-fills your password they can run Javascript from the URL bar to display that filled password.

If you don't trust the security around physical access to your machine/account, you shouldn't be storing any passwords.



[ Reply to This | # ]
No worse than auto-fill
Authored by: nmerriam on Jan 24, '07 01:19:44PM
Auto-fill and display are exactly the same level of security. Javascript can read the value of password fields, which means that if someone visits a page that auto-fills your password they can run Javascript from the URL bar to display that filled password.
That's still dramatically more work than clicking three times and getting a complete list of web sites with associated user names and matching passwords. Having to visit each site individually and run JS, then combine all that information takes time. Displaying this huge list of information, doing a screen capture, and pasting it in an email to yourself is something that can be done in literally a few seconds while someone's back is turned.

[ Reply to This | # ]
No worse than auto-fill
Authored by: stewby on Jan 24, '07 01:33:41PM

It would be simple to write a script to do most of the work very quickly (which is actually a big part of the reason that it's currently impossible to run AppleScript on existing pages in Camino). Even manually, stealing a few very sensitive passwords would only take a minute or two.

If your whole security model is based on people not having access to your machine unattended, then you should assume that if someone can get 30 seconds of access they can probably get 2 minutes.



[ Reply to This | # ]
A note of caution on Firefox's storage of passwords
Authored by: hypert on Jan 24, '07 09:46:59AM

I actually like this feature in Firefox! I have to change some passwords every 90 days. I open up this in Firefox (obviously, not with some standing behind me!), sort by password, delete the ones I saved that are now obsolete, and Firefox will re-prompt me to enter the new password when I visit those sites.



[ Reply to This | # ]
A note of caution on Firefox's storage of passwords
Authored by: hdms on Jan 24, '07 11:51:35AM

A very important and timely tip - our state Department of Education has just made Firefox its default browser for Macs to use on its network, and I doubt if anyone is aware of this security implication.

Personally I use the Firefox's 'clear all private data' feature to wipe history, cookies and passwords when I quit it; there's also an extension called SafeHistory that does that, too. Then again, I use Safari (with Keychain) as my primary browser.



[ Reply to This | # ]
A note of caution on Firefox's storage of passwords
Authored by: Brock Lee on Jan 24, '07 01:02:09PM

But you can also do this with the OS X Keychain Access application you can find in /Applications/Utilities. You cannot sort by password, but you can search and sort my domain name.



[ Reply to This | # ]
A note of caution on Firefox's storage of passwords
Authored by: themacnut on Jan 24, '07 12:20:32PM

Another good reason to have more than one account on your Mac if you're not the only one who'll be using it. Have one account for your exclusive use, that no one else gets to play around in, and have other accounts for the others in your household, or even just a generic guest or family account for others to use.



---
The MacNut
Owner, ClarisWorks/AppleWorks Email List
http://awlist.macnuthome.com
The Vanguard, my webcomic:
http://thevanguardhome.com



[ Reply to This | # ]
A note of caution on Firefox's storage of passwords
Authored by: juzzyp on Jan 24, '07 12:47:11PM
Camino was my browser of choice for all financial sites for this type of reason, although I am trialling the 1Passwd Password Manager app now because of:
  • cross browser form management (I use Flock and Camino for different reasons, and Opera which does not integrate with 1Passwd).
  • Uses the Keyhcain, so I don't have to remember one more "backup-vital" area

    Would love to hear others recommendations for a good Password Manager across different browsers.

    Someone above mentioned that the Keychain is not safe? Are we saying it is hackable with time and resources (as most things are), or is there a more sinister weakness than that I should know about?

    [ Reply to This | # ]

  • A note of caution on Firefox's storage of passwords
    Authored by: stewby on Jan 24, '07 01:24:27PM

    There's no sinister weakness, just fundamental trade-off inherent in any automatic password autofill system. If you have your bank's password stored (be it in Keychain, Firefox's storage system, wherever) and you have things configured such that when you visit your bank the password is auto-filled without your having to supply a password, then someone sitting in front of your open browser has full access to the password.

    It's not a storage problem. If you say that Camino/Firefox/Flock/whatever application is always authorized to read a password, you have to enforce access to that application if you want your passwords to stay secure.



    [ Reply to This | # ]
    A note of caution on Firefox's storage of passwords
    Authored by: juzzyp on Jan 25, '07 08:50:04AM

    Glad to hear it. Indeed, my Keychain (and the Password app )are enabled by separate master passwords.



    [ Reply to This | # ]
    A note of caution on Firefox's storage of passwords
    Authored by: david-bo on Jan 26, '07 03:23:27AM

    The master password is very annoying; i have to reenter it every 5 minutes or so (or is it when I visit a site that requires autofill for the first time?). I want to enter the master password when I launch Firefox and then never again until Firefox is restarted.

    Any ideas?

    ---
    http://www.google.com/search?as_q=%22Authored+by%3A+david-bo%22&num=10&hl=en&ie=ISO-8859-1&btnG=



    [ Reply to This | # ]
    A note of caution on Firefox's storage of passwords
    Authored by: lincd0 on Jan 28, '07 06:36:37AM

    Use FileVault and encrypt your swapfiles if you want to have any expectation of security against a physical attack.



    [ Reply to This | # ]