.....

.....

I just noticed that on the Logins & Passwords page (about:logins), it is possible to search on logins by password. In my opinion this is a security threat, as it makes password guessing nearly trivial. Sure, an attacker would have to get their hands on your laptop/computer, but they can use this strategy to find your password without having to know your master password. I'd love to know whether A) this is intended behavior, and B) if so, if there is a way to turn this off.

This is a feature carried over from the old interface. Users sometimes request it on other platforms, such as Firefox for iOS, so I believe it exists intentionally.

I think it would be difficult to completely solve a password using the search form, but given enough time and persistence, it's theoretically possible.

The best way to block access to the page is to cancel your Primary password. Here's what I mean:

• Open the Logins & Passwords page (menu > Passwords)
• Click either the eye button or the Copy button next to any password
• Cancel the Primary password dialog using the Cancel button or Esc key
• Close or reload the page (Ctrl+R)

Logins are locked again. The password manager can no longer be used until you re-enter your Primary password.

It would be nice if there were a more convenient way to cancel it, or a way to require it every time.

Note that you can also logout and login via the Security Device Manager.

• Settings -> Privacy & Security
  Certificates -> Device Manager -> Software Security Device

Although not convenient, submitting this in the Browser Console* takes the same action as that Log Out button on the Settings/Preferences page:

Cc["@mozilla.org/security/pk11tokendb;1"]
.getService(Ci.nsIPK11TokenDB)
.getInternalKeyToken()
.logoutAndDropAuthenticatedResources();

* The command line in the Browser Console needs to be enabled: https://developer.mozilla.org/en-US/docs/Tools/Browser_Console#browser_console_command_line