This thread was archived. Please ask a new question if you need help.
The new sync process and master password do not mix
The article Why can't I sync my passwords? linkified~J99 states that the master password inhibits the syncing, which is why the option "sync password" is greyed, if the master password is used. So to syncv the passwords one needs to turn the master password off, i.e. set to to "empty".
What speaks against the following:
- turn the master password off and let the sync harvest the existing passwords
- turn the master password on
- do this on all the devices of concern
Eventually, all the devices should have the passwords "more or less" synced, while still enjoying the safety provided by their master password. "More or less", because doing the above procedure consecutively for devices A,B, C ends with B having a synced set of passwords from A and B, and C the set, containing the sync pwds from A, B and C (which is then the valid set of passwords in the cloud). Given the fact we do not change passwords too often, so this should not be a big problem. One can, for instance repeat the above procedure for A at the end of the round.
Does it make sense?
Modified by John99
"The issue in this bug is about the fact we no longer sync your passwords if you have a master-password enabled. We realize this is a significant limitation and we are working on a fix to bring things back to parity with the old sync. We do take this issue seriously, and the fix will almost certainly involve storing the FxA credentials in the login manager, so would be as protected by the master-password as any other passwords are."Read this answer in context 👍 5
All Replies (11)
I tend to avoid using Sync and do not follow the progress much. I wonder if there are already bug/wikis/plans to fix this ?
It would seem sensible given that someone wishes to sync that the passwords should be synacable even with a master password set. Maybe add an extra confirmation step if it is thought necessary. We should have a programmatic solution instead of making users jump through hoops on a workaround.
1. turn the master password off and let the sync harvest the existing passwords 2. turn the master password on 4. do this on all the devices of concern
I doubt if that would work. Without using a Master Password (MP) Firefox uses two files for storing password data. When the MP is used a third file is used, along with the first two.
Turn off off the MP and then Sync, the 3rd file wouldn't Sync (I suspect) and the Passwords would be useless.
Then there's the issue of when the user starts using a MP, any Passwords already saved aren't "protected" by the MP. Partial set of Passwords would Sync, if that 3rd file wouldn't be Sync'd. (Paternalistic behavior?)
I suspect that Mozilla might be concerned about Mobile devices becoming lost, complicated by the user accidentally syncing passwords on Mobile devices.
Then there is the Persona program.
Why Sync Passwords when Persona is available and the user doesn't need passwords saved on any or every device?
In the "retail world" it's known as bundling of services. But with Firefox there's no extra cost - in fact it's all free! I suspect that is why the new Sync doesn't allow Sync with the MP feature turned on.
I just want to have a cake and eat it too.
I added my 2c to the 993461 bug - which is a different story afaik.
I'm very disappointed the way Mozilla is heading to. This last v29 update really pushing my buttons. To me it seems Mozilla is trying get rid of it's user base, as it clearly lacking any common sense.
Now, this new master password vs sync issue really something else. I couldn't believe my eyes when I read the official "solution" provided. Were they high or something?
If they continue this trend, the solution after next update would be get a piece of paper and a pen and write down the passwords?
"bundling services" is fine, as long as the barn door is not left wide open, as is the case now with "no master password". What have they been smoking?
So how about using syncing the passwords along with the master password; syncing the master password along with the saved passwords?
I realise that the master password would then have to be stored in mozilla's server, so as an alternative; Maybe instead of using a master password, if you wanted to use the 'master password' you would have to login to your mozilla account if you wanted to use the stored passwords?
In any case, if you're not connected to the internet then I don't see why you would want to access your passwords... so if you were just checking a password by loading up firefox, the only reason for finding out the password would be so you can login to a site, REQUIRING internet anyway...
and if your mozilla account was hacked, can your passwords be stolen anyway if you've set up sync for passwords? (or is there a 'was this you' message if the passwords are synced to an unknown PC?)
"The issue in this bug is about the fact we no longer sync your passwords if you have a master-password enabled. We realize this is a significant limitation and we are working on a fix to bring things back to parity with the old sync. We do take this issue seriously, and the fix will almost certainly involve storing the FxA credentials in the login manager, so would be as protected by the master-password as any other passwords are."
Obviously new sync has its flaws apparently due to abandoning the old pairing method in favour of everyone understands logins and emails. The restriction was considered necessary on security grounds.
I suppose there's probably not much here that hasn't already been mentioned by rnewman in bug 995268, but opening a previously-hidden bug is much more visible to the bad guys looking for juicy details to exploit.
And a comparison and explanation
Is there a projected date for the development and release of a Master Password/SYNC fix? Until it's available, I can see that the quality of my Firefox experience will be severely diminished. SYNC and the Master password are 2 of the major features that have kept me a loyal Mozilla user. My bright and inquisitive grandchildren are always pointing out the wonders of their favorite new browser. Every time I try one, it would always come back to "Will it remember and protect my data (passwords included) and can I use it easily on the many devices I access." For instance the borrowed PC I booted with my ubuntu thumb drive and composed this message on. Please hurry and fix it!
I cannot understand why mozilla would take this route. It is a decision that reduces security. (by forcing me to remove my master password)
Not impressed I just downloaded and installed firefox on my android SPECIFICALLY for password syncing. Now I am told use a user tracking service (persona) to do my password.
Not going to happen!
Unimpressed. Bring back password syncing please.
Yes this is very annoying.. Any update on a fix yet? I love the sync function but want my passwords to sync too.