X
Tap here to go to the mobile version of the site.

Support Forum

What is the default protection of saved logins in Firefox?

Posted

The following support page: https://support.mozilla.org/en-US/kb/password-manager-remember-delete-change-and-import#w_protecting-your-passwords says that "Even though the Password Manager stores your usernames and passwords on your hard drive in an encrypted format, someone with access to your computer can still see or use them." So by default there is NO password protection of my saved logins. I tried to copy key4.db and logins.json to a new profile - and got them available! So what's the point of encryption then? Also can these files be read (unencrypted) outside of Firefox?

The following support page: https://support.mozilla.org/en-US/kb/password-manager-remember-delete-change-and-import#w_protecting-your-passwords says that "Even though the Password Manager stores your usernames and passwords on your hard drive in an encrypted format, someone with access to your computer can still see or use them." So by default there is NO password protection of my saved logins. I tried to copy key4.db and logins.json to a new profile - and got them available! So what's the point of encryption then? Also can these files be read (unencrypted) outside of Firefox?

Modified by vstepaniuk

Chosen solution

The passwords stored in logins.json are encrypted, but the encryption key is stored in key4.db (previously in key3.db) and without a master password you merely need to place the two files is Firefox profile folder to see the passwords in the Password Manager.

The usernames and passwords are encrypted with triple-DES stored in the key file, but the MP adds an extra layer.

Read this answer in context 1

Additional System Details

Installed Plug-ins

  • Shockwave Flash 27.0 r0

Application

  • User Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:59.0) Gecko/20100101 Firefox/59.0

More Information

FredMcD
  • Top 10 Contributor
4147 solutions 57893 answers

A slight error. That should read access to your computer user account. If you want added protection, you can use the Master Password option.

https://support.mozilla.org/en-US/kb/use-master-password-protect-stored-logins Use a Master Password to protect stored logins and passwords

A slight error. That should read ''access to your computer user account.'' If you want added protection, you can use the Master Password option. https://support.mozilla.org/en-US/kb/use-master-password-protect-stored-logins Use a Master Password to protect stored logins and passwords
FredMcD
  • Top 10 Contributor
4147 solutions 57893 answers

Separate Security Issue: Update your Flash Player or remove it using these links; http://helpx.adobe.com/flash-player/kb/uninstall-flash-player-windows.html Uninstall Flash Player | Windows http://helpx.adobe.com/flash-player/kb/uninstall-flash-player-mac-os.html Uninstall Flash Player | Mac

Note: Windows users should download the ActiveX for Internet Explorer. and the plugin for Plugin-based browsers (like Firefox).

Note: Windows 8 and Windows 10 have built-in flash players and Adobe will cause a conflict. Install the plugin only. Not the ActiveX.

Flash Player Version: Version 29.0.0.113

https://get.adobe.com/flashplayer/ Direct link scans current system and browser Note: Other software is offered in the download. <Windows Only>

https://get.adobe.com/flashplayer/otherversions/ Step 1: Select Operating System Step 2: Select A Version (Firefox, Win IE . . . .) Note: Other software is offered in the download. <Windows Only> +++++++++++++++++++ See if there are updates for your graphics drivers https://support.mozilla.org/en-US/kb/upgrade-graphics-drivers-use-hardware-acceleration

Separate Security Issue: Update your Flash Player or remove it using these links; http://helpx.adobe.com/flash-player/kb/uninstall-flash-player-windows.html Uninstall Flash Player | Windows http://helpx.adobe.com/flash-player/kb/uninstall-flash-player-mac-os.html Uninstall Flash Player | Mac '''Note: Windows users''' should download the '''ActiveX''' for ''Internet Explorer.'' '''and''' the '''plugin''' for ''Plugin-based browsers'' (like Firefox). '''Note: Windows 8 and Windows 10''' have built-in flash players and Adobe will cause a conflict. Install the plugin only. Not the ActiveX. Flash Player Version: '''Version 29.0.0.113 ''' https://get.adobe.com/flashplayer/ Direct link scans current system and browser '''Note: Other software''' is offered in the download. <Windows Only> https://get.adobe.com/flashplayer/otherversions/ Step 1: Select Operating System Step 2: Select A Version (Firefox, Win IE . . . .) '''Note: Other software''' is offered in the download. <Windows Only> +++++++++++++++++++ See if there are updates for your graphics drivers https://support.mozilla.org/en-US/kb/upgrade-graphics-drivers-use-hardware-acceleration

Question owner

FredMcD said

A slight error. That should read access to your computer user account. If you want added protection, you can use the Master Password option. https://support.mozilla.org/en-US/kb/use-master-password-protect-stored-logins Use a Master Password to protect stored logins and passwords

I know about the Master Password. I want to know what's the point of encryption, and what does it protect me from? Basically I want to understand what is the default protection of saved logins in Firefox....

''FredMcD [[#answer-1092831|said]]'' <blockquote> A slight error. That should read ''access to your computer user account.'' If you want added protection, you can use the Master Password option. https://support.mozilla.org/en-US/kb/use-master-password-protect-stored-logins Use a Master Password to protect stored logins and passwords </blockquote> I know about the Master Password. I want to know what's the point of encryption, and what does it protect me from? Basically I want to understand what is the default protection of saved logins in Firefox....
TyDraniu
  • Top 25 Contributor
292 solutions 1632 answers

Someone with personal access to your user accont can do much more worse things than only read your passwords.

Someone with personal access to your user accont can do much more worse things than only read your passwords.

Question owner

TyDraniu said

Someone with personal access to your user accont can do much more worse things than only read your passwords.

Wow!

Only the question is absolutely different.. If you don't like the wording, go ahead and edit the article.

''TyDraniu [[#answer-1092839|said]]'' <blockquote> Someone with personal access to your user accont can do much more worse things than only read your passwords. </blockquote> Wow! Only the question is absolutely different.. If you don't like the wording, go ahead and edit the article.
FredMcD
  • Top 10 Contributor
4147 solutions 57893 answers

I did submit an edit.

I did submit an edit.

Question owner

Assuming that key4.db and logins.json files got accessed by a wrong person (no matter how: via physical access to a logged in computer, via malware, or from a flash drive with a backup copy of Firefox profile folder), will they be able to read the contents of the files? If yes, what's the point of encryption then? And finally, again, if yes, why isn't Master Password used by default?

(I tried to copy these files to a different Firefox profile of the same user, and also of a different user, and both times I was able to read them from Firefox.

Assuming that ''key4.db'' and ''logins.json'' files got accessed by a wrong person (no matter how: via physical access to a logged in computer, via malware, or from a flash drive with a backup copy of Firefox profile folder), will they be able to read the contents of the files? If yes, what's the point of encryption then? And finally, again, if yes, why isn't Master Password used by default? (I tried to copy these files to a different Firefox profile of the same user, and also of a different user, and both times I was able to read them from Firefox.
cor-el
  • Top 10 Contributor
  • Moderator
17269 solutions 156091 answers

Chosen Solution

The passwords stored in logins.json are encrypted, but the encryption key is stored in key4.db (previously in key3.db) and without a master password you merely need to place the two files is Firefox profile folder to see the passwords in the Password Manager.

The usernames and passwords are encrypted with triple-DES stored in the key file, but the MP adds an extra layer.

The passwords stored in logins.json are encrypted, but the encryption key is stored in key4.db (previously in key3.db) and without a master password you merely need to place the two files is Firefox profile folder to see the passwords in the Password Manager. The usernames and passwords are encrypted with triple-DES stored in the key file, but the MP adds an extra layer. *https://dxr.mozilla.org/mozilla-release/source/security/nss/doc/html/pk12util.html

Question owner

Thank you very much for a detailed explanation

Thank you very much for a detailed explanation