X
Tap here to go to the mobile version of the site.

Support Forum

How secure are my passwords on the FF servers when I use sync?

Posted

I just discovered https://haveibeenpwned.com/ and found out that my user names, email address, passwords, personal details etc have been found for sale on 6 different hacker databases / CDs.

Yikes!

Up til now I had all my passwords written down in a numbered list and if I wanted one, I'd look up which number it was from a list of websites I kept on my wiki. Smart, I thought. But reading about security and cracking websites, I discovered that all my self-made passwords were weak, weak, weak, and often repeated :O whoops.

So my solution is to use the PWGen FF add-in to generate passwords of awesome uncrackability with 16 characters and profusely populated with any of `~!@#$%^&*()-_=+[{]}\|;:'",<.>/?

Perhaps obviously owing to the advanced decrepitude of my mind, I am never going to try to type these in or even hope that I might remember them.

I'll let FF keep them in the password manager and encrypt them with a master password. But I will have to sync them all so I can also use them on my work laptop, my virtual host, my iPad, my Android phone etc etc.

A few questions:

(1) Why isn't the master password for the PW manager sync'd? I have to apply it separately on each device. Or have I messed up something? That means I could have different master passwords on each device.

(2) I also have to remember the sync password. Would I be foolish to make the sync password the same as the master password? Have pity on my poor memory.....

(3) How secure are the FF servers? Where and how is the data stored? What level of encryption are they stored with? Are they salted with Dead Sea salt, pure pink Himalayan rock salt, or no salt at all? Would it take 100 monkeys a trillion years of hacking to crack their way in, download and decrypt my passwords?

I just checked and it looks like Thunderbird uses the same Password Manager as FF, at least I can see all my website passwords in my Thunderbird security settings. So I hopefully all this applies to Thunderbird too.

I just discovered https://haveibeenpwned.com/ and found out that my user names, email address, passwords, personal details etc have been found for sale on 6 different hacker databases / CDs. Yikes! Up til now I had all my passwords written down in a numbered list and if I wanted one, I'd look up which number it was from a list of websites I kept on my wiki. Smart, I thought. But reading about security and cracking websites, I discovered that all my self-made passwords were weak, weak, weak, and often repeated :O whoops. So my solution is to use the PWGen FF add-in to generate passwords of awesome uncrackability with 16 characters and profusely populated with any of `~!@#$%^&*()-_=+[{]}\|;:'",<.>/? Perhaps obviously owing to the advanced decrepitude of my mind, I am never going to try to type these in or even hope that I might remember them. I'll let FF keep them in the password manager and encrypt them with a master password. But I will have to sync them all so I can also use them on my work laptop, my virtual host, my iPad, my Android phone etc etc. A few questions: (1) Why isn't the master password for the PW manager sync'd? I have to apply it separately on each device. Or have I messed up something? That means I could have different master passwords on each device. (2) I also have to remember the sync password. Would I be foolish to make the sync password the same as the master password? Have pity on my poor memory..... (3) How secure are the FF servers? Where and how is the data stored? What level of encryption are they stored with? Are they salted with Dead Sea salt, pure pink Himalayan rock salt, or no salt at all? Would it take 100 monkeys a trillion years of hacking to crack their way in, download and decrypt my passwords? I just checked and it looks like Thunderbird uses the same Password Manager as FF, at least I can see all my website passwords in my Thunderbird security settings. So I hopefully all this applies to Thunderbird too.
Quote

Additional System Details

Installed Plug-ins

  • Shockwave Flash 25.0 r0

Application

  • User Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:53.0) Gecko/20100101 Firefox/53.0

More Information

the-edmeister
  • Top 25 Contributor
  • Moderator
5080 solutions 37473 answers

(1) That is the way the Master Password is designed to work with Sync. An extra layer of protection when using the Master Password feature.

(2) Sorry, I am not aware that is the case when using the Master Password with Sync. I have never felt the need for using the Master Password feature; while I have used Sync since the days when it was the Weave extension in Firefox 3.5 & 3.6, long before Sync became "standard" in Firefox 4.0.

(3) Very secure! Dual layer encryption - two "passwords" kA & kB - which never leave the user's devices. One is used for connection to the Sync server and the other is used to encrypt the user's data before it leaves each device and as the data is received it gets decrypted. And those dual passwords are created on each device by an algorithm from the user's chosen Firefox Account password. So, I would call it "state of the art" encryption.

Up til now I had all my passwords written down in a numbered list and if I wanted one, I'd look up which number it was from a list of websites I kept on my wiki. Smart, I thought. 

I would suspect that could be the source of your passwords being compromised, over that of your data getting 'hacked' via Sync / Firefox Account services.

(1) That is the way the Master Password is designed to work with Sync. An extra layer of protection when using the Master Password feature. (2) Sorry, I am not aware that is the case when using the Master Password with Sync. ''I have never felt the need for using the Master Password feature; while I have used Sync since the days when it was the Weave extension in Firefox 3.5 & 3.6, long before Sync became "standard" in Firefox 4.0.'' (3) '''Very secure'''! Dual layer encryption - two "passwords" kA & kB - which never leave the user's devices. One is used for connection to the Sync server and the other is used to encrypt the user's data '''''before''''' it leaves each device and as the data is received it gets decrypted. And those dual passwords are created on each device by an algorithm from the user's chosen Firefox Account password. So, I would call it "state of the art" encryption. <blockquote><pre><nowiki> Up til now I had all my passwords written down in a numbered list and if I wanted one, I'd look up which number it was from a list of websites I kept on my wiki. Smart, I thought. </nowiki></pre></blockquote> I would suspect that could be the source of your passwords being compromised, over that of your data getting 'hacked' via Sync / Firefox Account services.
Was this helpful to you? 1
Quote

Question owner

the-edmeister said

I would suspect that could be the source of your passwords being compromised, over that of your data getting 'hacked' via Sync / Firefox Account services.

My passwords themselves were stolen, not hacked. It was linkedin and a couple of other sites that were compromised, and the hackers got away with my passwords (along with millions of others).

So in this case it pays to be paranoid. One detail I didn't mention initially is that the hackers were able to decrypt the passwords because the encryption used was not well implemented (from haveibeenpwnd.com):

In May 2016, LinkedIn had 164 million email addresses and passwords exposed. Originally hacked in 2012, the data remained out of sight until being offered for sale on a dark market site 4 years later. The passwords in the breach were stored as SHA1 hashes without salt, the vast majority of which were quickly cracked in the days following the release of the data.

Sucks, doesn't it?

Is that info which you give about the FF server security public info somewhere that I can have a look at?

''the-edmeister [[#answer-1012094|said]]'' <blockquote> I would suspect that could be the source of your passwords being compromised, over that of your data getting 'hacked' via Sync / Firefox Account services. </blockquote> My passwords themselves were stolen, not hacked. It was linkedin and a couple of other sites that were compromised, and the hackers got away with my passwords (along with millions of others). So in this case it pays to be paranoid. One detail I didn't mention initially is that the hackers were able to decrypt the passwords because the encryption used was not well implemented (from haveibeenpwnd.com): <blockquote> In May 2016, LinkedIn had 164 million email addresses and passwords exposed. Originally hacked in 2012, the data remained out of sight until being offered for sale on a dark market site 4 years later. The passwords in the breach were stored as SHA1 hashes without salt, the vast majority of which were quickly cracked in the days following the release of the data. </blockquote> Sucks, doesn't it? Is that info which you give about the FF server security public info somewhere that I can have a look at?
Was this helpful to you?
Quote
the-edmeister
  • Top 25 Contributor
  • Moderator
5080 solutions 37473 answers

Helpful Reply

ahardy42 said

the-edmeister said
I would suspect that could be the source of your passwords being compromised, over that of your data getting 'hacked' via Sync / Firefox Account services.

Sucks, doesn't it?

Is that info which you give about the FF server security public info somewhere that I can have a look at?

Yes it sucks.

The best I can do for "public info" about Sync and the Sync server is the MDN website (Mozilla Developer Network) documentation which is geared towards developers of Firefox add-ons. https://www.google.com/search?q=site:developer.mozilla.org%20Sync&ie=utf-8&oe=utf-8&lr=lang_en Lacking in direct user information though.

Another source that is geared towards the end user would be the ghacks.net website > Archive | Firefox. https://www.ghacks.net/category/firefox/

''ahardy42 [[#answer-1012098|said]]'' <blockquote> ''the-edmeister [[#answer-1012094|said]]'' <blockquote> I would suspect that could be the source of your passwords being compromised, over that of your data getting 'hacked' via Sync / Firefox Account services. </blockquote> Sucks, doesn't it? Is that info which you give about the FF server security public info somewhere that I can have a look at? </blockquote> Yes it sucks. The best I can do for "public info" about Sync and the Sync server is the MDN website (Mozilla Developer Network) documentation which is geared towards developers of Firefox add-ons. https://www.google.com/search?q=site:developer.mozilla.org%20Sync&ie=utf-8&oe=utf-8&lr=lang_en Lacking in direct user information though. Another source that is geared towards the end user would be the '''ghacks.net''' website > Archive | Firefox. https://www.ghacks.net/category/firefox/
Was this helpful to you? 1
Quote
cor-el
  • Top 10 Contributor
  • Moderator
15477 solutions 140165 answers

Helpful Reply

See also: *https://github.com/mozilla/fxa-auth-server *https://github.com/mozilla/fxa-auth-server/wiki/onepw-protocol
Was this helpful to you? 1
Quote
jscher2000
  • Top 10 Contributor
6447 solutions 52788 answers

In case Firefox is not your entire world when it comes to logins, you might consider using a service with broader support. Redditors have been suggesting this one as a replacement for LastPass, but I've never heard of it before: bitwarden - Free Password Manager.

In case Firefox is not your entire world when it comes to logins, you might consider using a service with broader support. Redditors have been suggesting this one as a replacement for LastPass, but I've never heard of it before: [https://addons.mozilla.org/firefox/addon/bitwarden-password-manager/ bitwarden - Free Password Manager].
Was this helpful to you?
Quote

Question owner

FF is not my entire world, I have loads of host logins and PINs and such stuff.

All I would need is the ability to add entries to the password manager.

I have yet to search the add-ons catalogue for something that does that - fingers crossed.

FF is not my entire world, I have loads of host logins and PINs and such stuff. All I would need is the ability to add entries to the password manager. I have yet to search the add-ons catalogue for something that does that - fingers crossed.
Was this helpful to you?
Quote
Ask a question

You must log in to your account to reply to posts. Please start a new question, if you do not have an account yet.