Search Support

A small suggestion about the "MASTERE PASSWORD" and how it works.

  • 5 replies
  • 2 have this problem
  • 13 views
  • Last reply by cor-el

more options

This is more me "thinking aloud" about the master password and how (I think) it works.

My take is that: Without it being set, all you saved logins can be seen and any saved passwords are accessible to anyone. Including remote programs, etc.

So, you set a master password, and all is good. Or is it?

Here's my concern:

You go to a site and it asks you for your login/password. They are either saved or you save them. You are prompted for the master password and they are either saved or retrieved.

You go to another site and the saved log in is auto-completed with no input from you. That's good in that scenario.

But say you get some nasty software. It starts looking through your saved logins.

What is stopping it basically getting them all without your knowledge?

My suggestion is - though some may complain - that even if you have entered your master password, when a site requests access to your saved logins (or how ever it works) you are told with a simple "Site log in requested".

I may be wrong in my concerns but I feel it is worth asking/mentioning so the problem can be addressed or my fears allayed.

Thanks very much in advance.

Chosen solution

teeny_weeny said

My take is that: Without it being set, all you saved logins can be seen and any saved passwords are accessible to anyone. Including remote programs, etc.

Without a Master Password, the local files can be scooped up and read by anyone with physical access to the disk. Ordinary websites and add-ons can't do that, but if remote access were granted to malware were installed, then there's a big problem.

So, you set a master password, and all is good. Or is it?
Here's my concern:
You go to a site and it asks you for your login/password. They are either saved or you save them. You are prompted for the master password and they are either saved or retrieved.
You go to another site and the saved log in is auto-completed with no input from you. That's good in that scenario.
But say you get some nasty software. It starts looking through your saved logins. What is stopping it basically getting them all without your knowledge?

I think the malware would need to capture your Master Password as you type it (keylogger) or would need to watch web pages as you browse. It wouldn't be able to just read the files on disk as in the scenario with no Master Password.

My suggestion is - though some may complain - that even if you have entered your master password, when a site requests access to your saved logins (or how ever it works) you are told with a simple "Site log in requested".

So not as painful as having to re-type your Master Password, but taking some affirmative act to fill the form? I have a suggestion.

One way to prevent websites from grabbing your login information from your password manager is to turn off autofill. Firefox will show your username(s) for the site in a drop-down from the username and password fields instead of filling anything automatically. I recommend this change if you are not in too much of a hurry and don't mind selecting it yourself. There's a checkbox for that on the Options page, Privacy & Security panel, Logins and Passwords section:

What do you think?

Read this answer in context 👍 1

All Replies (5)

more options

Chosen Solution

teeny_weeny said

My take is that: Without it being set, all you saved logins can be seen and any saved passwords are accessible to anyone. Including remote programs, etc.

Without a Master Password, the local files can be scooped up and read by anyone with physical access to the disk. Ordinary websites and add-ons can't do that, but if remote access were granted to malware were installed, then there's a big problem.

So, you set a master password, and all is good. Or is it?
Here's my concern:
You go to a site and it asks you for your login/password. They are either saved or you save them. You are prompted for the master password and they are either saved or retrieved.
You go to another site and the saved log in is auto-completed with no input from you. That's good in that scenario.
But say you get some nasty software. It starts looking through your saved logins. What is stopping it basically getting them all without your knowledge?

I think the malware would need to capture your Master Password as you type it (keylogger) or would need to watch web pages as you browse. It wouldn't be able to just read the files on disk as in the scenario with no Master Password.

My suggestion is - though some may complain - that even if you have entered your master password, when a site requests access to your saved logins (or how ever it works) you are told with a simple "Site log in requested".

So not as painful as having to re-type your Master Password, but taking some affirmative act to fill the form? I have a suggestion.

One way to prevent websites from grabbing your login information from your password manager is to turn off autofill. Firefox will show your username(s) for the site in a drop-down from the username and password fields instead of filling anything automatically. I recommend this change if you are not in too much of a hurry and don't mind selecting it yourself. There's a checkbox for that on the Options page, Privacy & Security panel, Logins and Passwords section:

What do you think?

Helpful?

more options

Thanks for clearing that confusion up.

Shall search for what you suggested and turn it off.

Helpful?

more options

I don't want to suggest we can get rid of the risk of passwords being scraped from web pages, but at least we can get rid of fake or hidden forms being filled automatically.

Helpful?

more options

Yes. Thanks. I did what you suggested and that shall allay most fears.

Helpful?

more options

On Linux this would normally not much of an issue.

Note that you can logout of the software security device (Password Manager) by canceling a master password prompt that you get when you want to view a password in Lockwise.

Helpful?

Ask a question

You must log in to your account to reply to posts. Please start a new question, if you do not have an account yet.