How Firefox securely saves passwords

Revision Information
  • Revision id: 191362
  • Created:
  • Creator: Michele Rodaro
  • Comment: Link to Firefox Desktop "Master password" article (it was for Android)
  • Reviewed: Yes
  • Reviewed:
  • Reviewed by: AliceWyman
  • Is approved? Yes
  • Is current revision? No
  • Ready for localization: Yes
  • Readied for localization:
  • Readied for localization by: AliceWyman
Revision Source
Revision Content

Firefox Accounts and Firefox Sync allow you to save and sync your logins as well as let you know if any of your passwords are vulnerable. They both also protect your passwords so that even Mozilla can’t see them. Meanwhile, Firefox Lockwise checks your saved websites against a database of breached websites to let you know if your logins are vulnerable.

Firefox Sync

If you have Firefox Accounts and enabled the sync functionality, your sync login data (usernames, passwords, hostnames) is fully encrypted once it's created and/or modified. However, Mozilla doesn’t decrypt your usernames and passwords when they are stored on the sync server.

If you forget your Firefox Accounts email and password, Mozilla will not be able to recover your sync data as we do not have access to it.

For all the technical details regarding how this entire process works, see protocol documentation.

Firefox Desktop

Firefox Desktop encrypts your passwords locally in your user profile directory using a logins.json file. Firefox Desktop uses simple cryptography to obscure your passwords. Mozilla doesn’t have the ability to see passwords, but Firefox Desktop does decrypt the password locally so that it can enter them into form fields.

For the best security, use a Master Password to encrypt your passwords.