X
Tap here to go to the mobile version of the site.

منتدى الدعم

If I disable my master password and enable sync of my passwords, how are they encrypted? What is my encryption key?

Posted

In the new sync feature I can select passwords to be synced but then I need to disable my master password.

How exactly are my passwords stored and encrypted when I sync them? I want to be in control of the encryption key that encrypts my passwords. I don't feel that the security solution for storing my passwords in the sync solution has been adequately explained to me.

I'm considering getting lastpass instead.

Regards, Daniel Hegner

In the new sync feature I can select passwords to be synced but then I need to disable my master password. How exactly are my passwords stored and encrypted when I sync them? I want to be in control of the encryption key that encrypts my passwords. I don't feel that the security solution for storing my passwords in the sync solution has been adequately explained to me. I'm considering getting lastpass instead. Regards, Daniel Hegner

Additional System Details

Installed Plug-ins

  • Google Update
  • Shockwave Flash 13.0 r0
  • WidevineMediaOptimizer
  • Picasa plugin
  • 5.1.30214.0
  • The plugin allows you to have a better experience with Microsoft SharePoint
  • The plugin allows you to have a better experience with Microsoft Lync
  • Citrix ICA Client Plugin (Win32)

Application

  • User Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:29.0) Gecko/20100101 Firefox/29.0

More Information

John99 971 solutions 13138 answers

I am not sure we have fully documented this properly.

I will tag this question as escalate. That will bring it to the attention of the other contributors and the HelpDesk staff, but be aware it could be two or three days before HelpDesk staff get round to answering. Meanwhile see a previous post of mine that partly explains the situation and links to what documentation I can find.

I am not sure we have fully documented this properly. I will tag this question as '''escalate'''. That will bring it to the attention of the other contributors and the HelpDesk staff, but be aware it could be two or three days before HelpDesk staff get round to answering. Meanwhile see a previous post of mine that partly explains the situation and links to what documentation I can find. * ''are bookmarks encrypted?'' [/questions/993302#answer-571374] * For the benefit of others reading this thread The disabling password issue is mentioned here [[Why can't I sync my passwords? ]] <br /> That in itself probably needs a better explanation rather than just a comment saying it can not be done.
guigs 1072 solutions 11697 answers

Helpful Reply

Hi da9l,

Thank you for escalating this John99. After reading the documentation of the blog post. The new sync encrypts the key with

https://github.com/mozilla/fxa-auth-s.../onepw-protocol

  • "On the server, code should get entropy from /dev/urandom via a function that uses it, like "crypto.randomBytes()" in node.js or "os.urandom()" in python."
  • " HKDF-based stream cipher is used to protect the contents of some requests."
  • options.payload = true is recommended

Right now the master password and sync password are not synced https://bugzilla.mozilla.org/show_bug.cgi?id=995268

This discussion is also taking place for more info see Brian Warner's blog post on the old and new sync

To address this https://bugzilla.mozilla.org/show_bug.cgi?id=973759, however it is in backlog so I recommend not syncing passwords for now unless you change the sync password often.

Hi da9l, Thank you for escalating this John99. After reading the documentation of the blog post. The new sync encrypts the key with [https://github.com/mozilla/fxa-auth-server/wiki/onepw-protocol] *"On the server, code should get entropy from /dev/urandom via a function that uses it, like "crypto.randomBytes()" in node.js or "os.urandom()" in python." *" HKDF-based stream cipher is used to protect the contents of some requests." *options.payload = true is recommended Right now the master password and sync password are not synced [https://bugzilla.mozilla.org/show_bug.cgi?id=995268] This discussion is also taking place for more info see [https://blog.mozilla.org/warner/2014/04/02/pairing-problems/ Brian Warner's blog post on the old and new sync] To address this [https://bugzilla.mozilla.org/show_bug.cgi?id=973759], however it is in backlog so I recommend not syncing passwords for now unless you change the sync password often.

Modified by guigs

cor-el
  • Top 10 Contributor
  • Moderator
17567 solutions 158896 answers
See: *https://wiki.mozilla.org/Identity/Firefox-Accounts
John99 971 solutions 13138 answers

Helpful Reply

Thanks cor-el & guigs2

Interesting blog & Github articles. I look forward to the 2nd blog article.

Thanks cor-el & guigs2 Interesting blog & Github articles. I look forward to the 2nd blog article.

Question owner

Well I now understand that my bookmarks and passwords are securly stored at the mozilla servers but my concern now is that they can no longer be stored securly when in rest at my devices if I want sync to work.

Making it impossible to sync passwords that has been encrypted by a master password breaks one of FF's top selling points IMHO.

My suggestion is that the sync password and the master password are merged into the one and same with the option to ask for it every time the user starts the browser.

That would enable secure storage of the passwords both in transit and at rest in each synced device and re-enable one of FF's top unique selling points IMHO.

Regards, Daniel Hegner

Well I now understand that my bookmarks and passwords are securly stored at the mozilla servers but my concern now is that they can no longer be stored securly when in rest at my devices if I want sync to work. ''Making it impossible to sync passwords that has been encrypted by a master password breaks one of FF's top selling points IMHO.'' '''My suggestion is that the sync password and the master password are merged into the one and same with the option to ask for it every time the user starts the browser.''' That would enable secure storage of the passwords both in transit and at rest in each synced device and re-enable one of FF's top unique selling points IMHO. Regards, Daniel Hegner

Modified by da9l

John99 971 solutions 13138 answers
I have not yet noted the 2nd follow on blog to * https://blog.mozilla.org/warner/2014/04/02/pairing-problems/ I have seen another series of blogs on the subject * https://blog.mozilla.org/services/2014/02/07/a-better-firefox-sync/ * https://blog.mozilla.org/services/2014/04/30/firefox-syncs-new-security-model/ * https://blog.mozilla.org/services/2014/05/08/firefox-accounts-sync-1-5-and-self-hosting/
MikeCush 0 solutions 2 answers

I've looked through all the posts on this topic and none of them have explained why the new sync has required us to make our passwords insecure on our computers.

I'm sure someone must have decided this was good idea - please let the rest of us know why and what the logic was.

I've looked through all the posts on this topic and none of them have explained why the new sync has required us to make our passwords insecure on our computers. I'm sure someone must have decided this was good idea - please let the rest of us know why and what the logic was.
John99 971 solutions 13138 answers

Unfortunately the master password system and the sync of passwords are separate and incompatible systems.

The Master password System is relatively low security. There is a possibility that either the Master Password system or Sync may be modified at some future date to address this issue.

Possibly you may wish to investigate the use of some third party solution. Possibly the 'LastPass addon.

Unfortunately the master password system and the sync of passwords are separate and incompatible systems. The Master password System is relatively low security. There is a possibility that either the Master Password system or Sync may be modified at some future date to address this issue. Possibly you may wish to investigate the use of some third party solution. Possibly the '''LastPass'' addon. * https://addons.mozilla.org/firefox/addon/lastpass-password-manager
John99 971 solutions 13138 answers

The second blog; mentioned upthread; is now available

The second blog; mentioned upthread; is now available * https://blog.mozilla.org/warner/2014/05/23/the-new-sync-protocol/
cor-el
  • Top 10 Contributor
  • Moderator
17567 solutions 158896 answers

Note that if you are connected to Sync that the data to connect to your Firefox Account is stored in the signedInUser.json file in the Firefox profile folder (if you disconnect then this data is removed).

Bug 970167 - disable password sync when master password is enabled Bug 909967 - Firefox Account Signed-in User module

Note that if you are connected to Sync that the data to connect to your Firefox Account is stored in the signedInUser.json file in the Firefox profile folder (if you disconnect then this data is removed). Bug 970167 - disable password sync when master password is enabled Bug 909967 - Firefox Account Signed-in User module