As a follow up to Is saving passwords in Chrome as safe as using LastPass if you leave it signed in?, I would like to know how firefox's password manager compares, if you have a master password and also how secure is their sync feature
-
2The behaviour of the Firefox password manager was just mentioned in a blog post: https://blog.mozilla.org/dolske/2013/08/20/on-firefoxs-password-manager/ – JoltColaOfEvil Aug 21 '13 at 23:13
1 Answers
Firefox's Sync is a locally AES-256-CBC encrypted database of your stuff (which can include passwords), stored on Mozilla's servers. The key does not leave your browser in an unencrypted form that can be decrypted by anyone but you. But it does end up on every Firefox browser you sync with.
The Sync key is stored locally in your passwords. If you don't have a Firefox Master Password, it's not encrypted on your machine. If you use a Master Password, the Sync key is unencrypted from the moment you enter it into Firefox.
The Sync key is available from your browser. Go to Options/Firefox Sync, click the "Manage Account" tool, pick "My recovery key", and it will produce a printable version of your key. You can type the user's email address and that key into any other instance of Firefox and you will be included in Syncing, and have therefore have full visibility into all Synced passwords.
Just like a logged-in Lastpass client, and just like Chrome, the security of the data relies on the user to deny access to parties that might compromise their password. Anyone's email account is practically a given, so all secrecy lies in that key. Do you Sync to your cell phone? Might want to think twice if you're prone to losing phones. Do you lock your desktop every time you step away from it? Perhaps it's time to get into that habit.
There is no extra magic Firefox can apply. Convenient tools that save passwords expose you to extra risk, regardless of who makes them or who gives them away. It's up to you to determine if the convenience is worth that extra risk.
- 33,650
- 3
- 57
- 110
-
So the availability of the recovery key only on the local machines is a difference with google chrome. Great answer!! It was what I was looking for.Could you update your answer with the type of encryption firefox uses? Is it only the default NTFS filesystem encryption? – bobby Aug 27 '13 at 17:20