Search Support

Avoid support scams. We will never ask you to call or text a phone number or share personal information. Please report suspicious activity using the “Report Abuse” option.

Learn More

What is the default protection of saved logins in Firefox?

  • 9 replies
  • 2 have this problem
  • 794 views
  • Last reply by vstepaniuk

more options

The following support page: https://support.mozilla.org/en-US/kb/password-manager-remember-delete-change-and-import#w_protecting-your-passwords says that "Even though the Password Manager stores your usernames and passwords on your hard drive in an encrypted format, someone with access to your computer can still see or use them." So by default there is NO password protection of my saved logins. I tried to copy key4.db and logins.json to a new profile - and got them available! So what's the point of encryption then? Also can these files be read (unencrypted) outside of Firefox?

Modified by vstepaniuk

Chosen solution

The passwords stored in logins.json are encrypted, but the encryption key is stored in key4.db (previously in key3.db) and without a master password you merely need to place the two files is Firefox profile folder to see the passwords in the Password Manager.

The usernames and passwords are encrypted with triple-DES stored in the key file, but the MP adds an extra layer.

Read this answer in context 👍 1

All Replies (9)

more options

A slight error. That should read access to your computer user account. If you want added protection, you can use the Master Password option.

https://support.mozilla.org/en-US/kb/use-master-password-protect-stored-logins Use a Master Password to protect stored logins and passwords

more options

Separate Security Issue: Update your Flash Player or remove it using these links; http://helpx.adobe.com/flash-player/kb/uninstall-flash-player-windows.html Uninstall Flash Player | Windows http://helpx.adobe.com/flash-player/kb/uninstall-flash-player-mac-os.html Uninstall Flash Player | Mac

Note: Windows users should download the ActiveX for Internet Explorer. and the plugin for Plugin-based browsers (like Firefox).

Note: Windows 8 and Windows 10 have built-in flash players and Adobe will cause a conflict. Install the plugin only. Not the ActiveX.

Flash Player Version: Version 29.0.0.113

https://get.adobe.com/flashplayer/ Direct link scans current system and browser Note: Other software is offered in the download. <Windows Only>

https://get.adobe.com/flashplayer/otherversions/ Step 1: Select Operating System Step 2: Select A Version (Firefox, Win IE . . . .) Note: Other software is offered in the download. <Windows Only> +++++++++++++++++++ See if there are updates for your graphics drivers https://support.mozilla.org/en-US/kb/upgrade-graphics-drivers-use-hardware-acceleration

more options

FredMcD said

A slight error. That should read access to your computer user account. If you want added protection, you can use the Master Password option. https://support.mozilla.org/en-US/kb/use-master-password-protect-stored-logins Use a Master Password to protect stored logins and passwords

I know about the Master Password. I want to know what's the point of encryption, and what does it protect me from? Basically I want to understand what is the default protection of saved logins in Firefox....

more options

Someone with personal access to your user accont can do much more worse things than only read your passwords.

more options

TyDraniu said

Someone with personal access to your user accont can do much more worse things than only read your passwords.

Wow!

Only the question is absolutely different.. If you don't like the wording, go ahead and edit the article.

more options

I did submit an edit.

more options

Assuming that key4.db and logins.json files got accessed by a wrong person (no matter how: via physical access to a logged in computer, via malware, or from a flash drive with a backup copy of Firefox profile folder), will they be able to read the contents of the files? If yes, what's the point of encryption then? And finally, again, if yes, why isn't Master Password used by default?

(I tried to copy these files to a different Firefox profile of the same user, and also of a different user, and both times I was able to read them from Firefox.

more options

Chosen Solution

The passwords stored in logins.json are encrypted, but the encryption key is stored in key4.db (previously in key3.db) and without a master password you merely need to place the two files is Firefox profile folder to see the passwords in the Password Manager.

The usernames and passwords are encrypted with triple-DES stored in the key file, but the MP adds an extra layer.

more options

Thank you very much for a detailed explanation