Why is there such a wicked security flaw?
So for all users of Firefox - our passwords are blindingly visible to anyone who is familiar enough with Firefox to have poked around in the security settings. For those of you who do not know...
1. Go to any webpage you normally visit. 2. To the left of its web address, click on the lock next to the text. 3. Click on the button "More information..." 4. Click on the button "View saved passwords" 5. In the Search field, click on the x, or clear the results. 6. Next, click on "Show passwords"
Another option is: 1. Goto Preferences 2. click on Security tab 3. press Saved Passwords 4. follow steps 5 and 6 above.
If you did not realize this was a feature, I'm sure you are in shock at the historical collection of easily accessible security data only mere clicks away from anyone who should happen to sit down at your computer.
This is rather disgusting!
However, there is a way to add password protection that renders firefox unusably clumsy and almost not worth the trouble. Adding a master password. Unfortunately, now, every single time I open firefox, I have to type in my master password. It's ridiculous. I cannot open firefox without having to type it in, making the other options for web-browsing increasingly more attractive alternatives.
It would be ideal if I only needed to type in my master password if I wanted to see the entire list of passwords you keep handy for anyone's reference, and not every. single. time. I open the program.
It's like going from absolute zero security regard, to complete overkill.
Please fix this. I love Firefox, it is my browser of choice, but: 1. I cannot have my passwords published in such a frivolous manner 2. I will not tolerate entering a master password every single time I am browsing the web.
You've put me between a rock and a hard place and I am gradually shifting to Vivaldi unfortunately. I will only use Firefox for development in the future unless something is done about this.
Alle Antworten (6)
hello, this is inherent to every browser out there - if you don't encrypt your passwords they will be accessible in one way or another: http://www.nirsoft.net/utils/web_browser_password.html
as for the master-password request at startup: i cannot reproduce the behaviour you have described on my machine with a master password set - the dialog should be triggered the first time the password information is necessary, either by autofilling it on a site, when you go to the view passwords section manually or when you are using sync or an addon that accesses the software security device...
Right, I understand that there is access one way or another for all browsers. Firefox just builds it right in for you though. At least I find solace in that someone would have to install something else to view my saved pass.
I suppose the master password is not at startup, but every time I log onto gmail, or facebook, or something like that, which happens often directly after I start up my web browser. So not by design, but by behavior.
From a user-centric or UX perspective, requiring a password to use saved passwords is one target, but skipping that step and requiring a master password to VIEW saved passwords is another option that I wish was available.
Thereby allowing me to use firefox for my daily rigamarole without having to concern myself with a master password. Until for instance, one day I wanted to view the actual text letters beneath the bulleted over characters, then a password would be a handy dandy feature.
I hear you, that everything is vulnerable, but this is the most frivolous flaunting of security with intention that I've come across in daily use I suppose. In that nothing else reveals my entire collection and history of passwords that I've taken effort to "never write down".
Even in my own personal collection of curated information do I not possess a record of passwords as complete as the one provided me by firefox. I have recommended it to my family as well on their home computer, meaning I will have access to every single one of their passwords as well. It would be my recommendation that they no longer use firefox for this reason.
It really really should be changed Philipp. This is my final thought on the matter.
The passwords (and the name) are encrypted via the master password when one is used. If you enter the master password then you log in to the software security device and all saved passwords can be accessed. Even if Firefox will ask for the MP when you want to view or copy them in the Password Manager then this isn't really necessary to access passwords. You can log out of the software security device by canceling a a prompt to enter the MP or do that manually in "Options/Preferences > Advanced > Certificates > Security Devices: Software Security Device"
Right, I understand how things work, or how Firefox wants me to understand how to behave. People like my family and friends don't however. I used to recommend Firefox with gusto to everyone. It's like a Sherman Tank I'd say. I love it, I'd tell them. Don't use Chrome, definitely don't use Safari. Firefox, firefox, firefox...
Until this issue is fixed, I'm going to tell each and every one of them to uninstall it, and use chrome only, because that is much more feasibly doable than educating every single person I know on the security risks and how to deal with them.
If this issue isn't rectified to provide a better experience for the average person, they're not just losing me, they're losing my outspoken support and consistent recommendations of Firefox. I don't think anyone can afford that. I still very much prefer firefox, but I'm not about to promote this master password nonsense, when it can be circumvented entirely with the default experience of chrome.
Fix the UX or good luck, it's been great!
"... our passwords are blindingly visible to anyone who is familiar enough with Firefox to have poked around in the security settings."
It's been that way since day one with Firefox - nothing new or as "earth shaking" as you make it out to be.
Firefox at least can use a Master Password to protect the passwords with an extra level of prrotection. Google Chrome uses the same storage as the OS and once logged on to a Windows account then all GC passwords are visible and can be accessed by anyone.
You can direct others to this knowledge base article: