49
3
I have been using the Firefox password manager for long time, but never checked/verified how secure it is.
49
3
I have been using the Firefox password manager for long time, but never checked/verified how secure it is.
27
The following post sums it up best from the luxsci.com blog
When Master Passwords are in use, the data is encrypted using 3DES in CBC mode by default. If you choose a good, strong master password, then this level of encryption should be fine. 3DES is rated to be good for general use through 2020.
You should be aware that there are programs out there designed to crack open the saved passwords. One such program is FireMaster. If you do not choose a strong Master Password, then your encrypted database may be susceptible to being broken into
I wonder how long it would take to crack the saved passwords, and how long it would take to crack the saved passwords with a strong master pw. Hmm, see this is from 2009. Guess it must be the same still. – Adam – 2018-12-14T16:00:03.577
3
If you are a Mac OS X user, one of the considerations is that it is not integrated with the OS-level "KeyChain" (password management). You can use Camino if you want a mozilla/Gecko browser that is integrated at this level.
4Wasn't exactly the question. – Joey – 2009-08-09T08:19:30.427
1@benc - Should or would Mozilla want to add support for this? – 1.21 gigawatts – 2012-02-05T20:47:39.773
3
This is probably a biased personal opinion.
I feel that integrating password storage into any system that provides many other features weakens their security to the vulnerabilities possible in that system. Other parts of the combined system form the weaker links in the security chain. It also helps using a non-standard system (read the conclusion on this link).
To that end, I prefer storing them in a TrueCrypt encrypted file.
Some other discussions,
1@curiousguy: the same would be true about any password manager - passwords always have to be entered in to any webform in plain text. That is not a security flaw in the password manager. – naught101 – 2014-10-14T00:24:21.650
At of 2019, Truecrypt is deprecated with known vulnerabilities (CVE-2015-7358) and succeeded by Veracrypt. This is actually a good example of what Nik was talking about. The cryptographic implementation is still not known to be vulnerable, but a feature of program itself can be used by a user-level attacker to gain elevated privileges. The Veracrypt devs have rectified these problems and passed audit.
– Eikre – 2019-04-17T17:22:45.2332Holes Remain Open in Firefox Password Manager "they should not entrust their passwords to the password manager on web sites that allow other users to create their own pages containing scripts." answer: "It is not about safety of the Firefox. It is about safety of websites that allows users to insert Javascript code to their sites." conclusion: the password manager is "insecure" on sites which are inherently insecure. – curiousguy – 2012-07-10T13:44:05.017
2
I have tried LastPass and it has in my opinion, an inherent weakness. Namely, that although it has a virtual keyboard, this only opens up your LastPass vault. Not only is this displaying the sites you have passwords for (ok the passwords themselves are 'hidden') but each time you want to login into a site, you need to enter the master password for which there is no virtual keyboard.
I ran a keylogger test and it would have intercepted my password this way. So now the hacker has access not just to one site but to my vault i.e all my logins. Now you can disable 'require password prompt', so you would only enter your password once via the virtual keyboard and not at each login.
The problem I have with this is as LastPass works in your browser, a hacker could log into a site without having to know your master password as it is effectively open. LastPass needs to employ a virtual keyboard similar to RoboForm or Kaspersky Password Manager.
Firefox and most other password managers suffer from a similar fault, the entry of a master password in an insecure manner.
0
What "data" is encrypted ? Just the passwords, or the urls as well ?
I'm wondering if it could be broken using "cribs" such as "facebook", "youtube", "gmail" ...
EDIT : according to the author of FirePassword/FireMaster, only the passwords and logins are encrypted :) http://securityxploded.com/firepassword.php
The key3.db file contains master password related information such as encrypted password check string, salt, algorithm and version information etc.
Signons.txt file contains the actual sign-on information Reject Host list : List of websites for which user don't want Firefox to remember the credentials. Normal Host List : Each host URL is followed by username and password.
0
There's a great online password manager called Clipperz. It's great for being able to access your passwords from any computer. You can also host the software on your own hosting provider. It's not as convenient as Firefox's password manager becuase you do have to log in to access your passwords but for the ability to have your passwords where ever there is an internet connection is really handy for me.
0
I strongly recommend to use LastPass instead. Firefox password manager is better than nothing, but even with a master password, it's not really that secure.
If you also want to share your passwords across multiple browsers and PCs, give LastPass]a try as they really found a great and secure way to share your passwords, while keeping them safe.
They also explain their technology in detail, so you can check how exactly they are protecting the passwords. The only "downside": you have to use javascript, as they use it to encrypt and decrypt your passwords.
6Please explain why you said "Firefox password manager [...] even with a master password [is] not really that secure" – Josh – 2009-11-09T20:54:15.293
0
For those asking what is encrypted, passwords or also urls, the urls are not encrypted in none of the presented solutions.
The problem starts if the browser has been logged in to a site with the checkbox "stay logged in" selected on the site login form. The session stays open for days, even weeks. If the computer inherits malware the malware can just pop in into the site and do it's bad deeds.
To the other subject, I for one have also e.g. paypal password set in the firefox password manager. Now I'm just waiting for malware to empty my CC account. It propably hasn't happened as few others have their paypal/amazon password set in firefox.
This might be better asked on security.SE. – naught101 – 2014-10-14T00:24:52.853