what type of encryption is firefox using for password protection and how trustworthy is it
I would like to know what kind of encryption FF uses and how I know I can trust it? This is not a bone of contention with FF, I love the product, rather it is just a concern I have that will convince me to let FF manage my financial passwords. Thanks for any assistance with understanding this issue more completely.
Additional System Details
- NPRuntime Script Plug-in Library for Java(TM) Deploy
- The QuickTime Plugin allows you to view a wide variety of multimedia content in Web pages. For more information, visit the QuickTime Web site.
- Adobe PDF Plug-In For Firefox and Netscape "9.4.4"
- Shockwave Flash 10.2 r159
- iTunes Detector Plug-in
- Next Generation Java Plug-in 1.6.0_24 for Mozilla browsers
- User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1
The degree of protection very much depends on how strong your master password is.
When using a master password, the data is encrypted using Triple DES Encryption in CBC mode. This level of encryption is good for general purpose use. The weak point it the master password, if you have a weak master password there are programs available that will be able to crack the master password, they often do this by using a brute force method. If you use a strong master password, the brute force method will need a very long time to crack passwords. For details on password strength and creating strong passwords see http://en.wikipedia.org/wiki/Password_strength and http://luxsci.com/blog/security-simplified-the-basesuffix-method-for-memorable-strong-passwords.html
Thanks for the speedy response. This is what I needed to know. My passwords are obnoxious so it should be safe to use FF is what you are telling me. Thanks again.
could I trust online banking password if I use a VERY STRONG FF MASTER PASSWORD. ? Now I am using Roboform but it is getting rather complicated with each new update.
You ask a difficult question but a good question. Don't feel you must take my word as gospel but here is my take on the issue of passwords. These are my own thoughts based on my previous experience with the software industry.
Keep in mind that software folks believe their systems are strong and unbreakable as a rule. My take is a bit more pessimistic. Others disagree with me strongly.
My answer to your question is that the Triple DES used by FireFox should be adequate if your password strength is very, very strong and you change your password on a regular basis to your most critical website access points such as banking, credit union, Amazon, or other on-line financial-like accounts.
Most of us do not make changes to our passwords regularly. Do you know how to create a strong password?
Here are a couple of references that were shared with me on how to do create a strong password. http://en.wikipedia.org/wiki/Password_strength http://luxsci.com/blog/security-simplified-the-basesuffix-method-for-memorable-strong-passwords.html
Note also that RSA recently reported a breach of their two token SecureID product which I consider the strongest available password solution in production. It is composed of a strong password coupled with the SecureID token which has an ever changing 6-digit number that is used in conjunction with the password to access the "system." This reported breach at Lockheed Martin was an "inside job" in my opinion but no one is really saying it was or anything else for that matter. I wish the RSA SecureID token was standard because it would essentially be unbreakable---except from the inside secure solution issue. Alas, this has not come to pass.
For personal safety reasons, I still prefer to create my own passwords that are not stored on my machine for my critical banking, savings, purchasing (Amazon-like sites) and health accounts only. I use FireFox's solution works for all other websites.
Hope this helps answer your question.
Thank you very much , agree completely.I am sure all reading your suggestions and also applying it will be thankful feeling safer.