If you use a PP that can be cracked by a dictionary lookup including some known replacements for characters or some other list of common known passwords then that is at your risk. If you use a random password of sufficient length and strength (uppercase, lowercase, numbers, symbols, other Unicode characters) as shown in the change PP dialog then you should be safe enough. Note that you wouldn't have to use the Password Manager, but you merely need access to logins.json and key4.db to be able to crack the PP.

Note that is you would use OS authentication (Windows Hello or biometrics) that the logins aren't encrypted at all in logins.json like is done with the Primary Password.

• https://support.mozilla.org/en-US/kb/password-strength

Thanks. I am sorry but my question was about cracking the password easily without any required knowledge, not the password file. Sequential pass on all the reasonable keys in combinations up to a reasonable length would take AFAIU very short time, without any need to limit the search to dictionary words.

Regarding encryption of logins, I have looked at the file with and without primary password. The file looked the same and passwords were encrypted.

Without PP the passwords are still encrypted with a basic salt that is stored in key4.db. The PP adds an extra encryption layer and Firefox 73+ use stronger encryption (more iterations).

Do you want to file a bug suggesting a delay be added after some number of wrong guesses?

https://bugzilla.mozilla.org/

Unfortunately, using a very simple program that I wrote I have proven that this is a serious problem and submitted a bug report.