X
Tap here to go to the mobile version of the site.

Support Forum

The new sync process and master password do not mix

smo
Posted

The article Why can't I sync my passwords? linkified~J99 states that the master password inhibits the syncing, which is why the option "sync password" is greyed, if the master password is used. So to syncv the passwords one needs to turn the master password off, i.e. set to to "empty".

What speaks against the following:

  1. turn the master password off and let the sync harvest the existing passwords
  2. turn the master password on
  3. do this on all the devices of concern

Eventually, all the devices should have the passwords "more or less" synced, while still enjoying the safety provided by their master password. "More or less", because doing the above procedure consecutively for devices A,B, C ends with B having a synced set of passwords from A and B, and C the set, containing the sync pwds from A, B and C (which is then the valid set of passwords in the cloud). Given the fact we do not change passwords too often, so this should not be a big problem. One can, for instance repeat the above procedure for A at the end of the round.

Does it make sense?

TiA

smo

The article [[Why can't I sync my passwords?]] <sub>linkified~J99</sub> states that the master password inhibits the syncing, which is why the option "sync password" is greyed, if the master password is used. So to syncv the passwords one needs to turn the master password off, i.e. set to to "empty". What speaks against the following: #turn the master password off and let the sync harvest the existing passwords #turn the master password on #do this on all the devices of concern Eventually, all the devices should have the passwords "more or less" synced, while still enjoying the safety provided by their master password. "More or less", because doing the above procedure consecutively for devices A,B, C ends with B having a synced set of passwords from A and B, and C the set, containing the sync pwds from A, B and C (which is then the valid set of passwords in the cloud). Given the fact we do not change passwords too often, so this should not be a big problem. One can, for instance repeat the above procedure for A at the end of the round. Does it make sense? TiA smo

Modified by John99

Chosen solution

https://bugzilla.mozilla.org/show_bug.cgi?id=995268#c58

"The issue in this bug is about the fact we no longer sync your passwords if you have a master-password enabled. We realize this is a significant limitation and we are working on a fix to bring things back to parity with the old sync. We do take this issue seriously, and the fix will almost certainly involve storing the FxA credentials in the login manager, so would be as protected by the master-password as any other passwords are."

Read this answer in context 5

Additional System Details

Installed Plug-ins

  • Shockwave Flash 13.0 r0
  • NPRuntime Script Plug-in Library for Java(TM) Deploy
  • Google Update
  • 5.1.30214.0
  • VLC media player Web Plugin 2.1.3
  • Adobe Shockwave for Director Netscape plug-in, version 12.0.9.149
  • McAfee MSS+ NPAPI Plugin
  • Adobe PDF Plug-In For Firefox and Netscape 11.0.06
  • Intel web components for Intel® Identity Protection Technology
  • Intel web components updater - Installs and updates the Intel web components
  • Office Live Update v1.5

Application

  • Firefox 29.0
  • User Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:29.0) Gecko/20100101 Firefox/29.0
  • Support URL: https://support.mozilla.org/1/firefox/29.0/WINNT/en-US/

Extensions

  • 1-Click YouTube Video Downloader 2.2.9 (YoutubeDownloader@PeterOlayev.com)
  • Adblock Plus 2.5.1 ({d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d})
  • Add Google Search To New Tab Page 1.0.2 (newtabgoogle@graememcc.co.uk)
  • AudioTube 1.3 (firefox@org.audiotube)
  • Boounce 0.6 (toolbar@boounce.com)
  • ChatZilla 0.9.90.1 ({59c81df5-4b7a-477b-912d-4e0fdf64e5f2})
  • ComTrade DigSigSDK 2.0.68.0 ({12B5FEAA-16C9-4DE9-98A0-83D6FE5B1316})
  • Config Descriptions 1.0 ({1823e248-6bf4-f6f1-7901-65a68e8b6c1e})
  • Dictionary for the Slovene language 0.1.1.1 (sl@dictionaries.addons.mozilla.org)
  • DoNotTrackMe: Online Privacy Protection 3.2.1083 (donottrackplus@abine.com)
  • DownloadHelper 4.9.22 ({b9db16a4-6edc-47ec-a1f4-b86292ed211d})
  • Font Size 0.1.20100123.1 (fontsize@firefox.clarisblue.com)
  • GMX MailCheck 2.10 (toolbar@gmx.net)
  • Language Pack Install Helper 2.5 (jid0-3qAYz7se7F3gEIA63LjbuEaPEDk@jetpack)
  • Mass Password Reset 1.05 (masspasswordreset@johnathan.nightingale)
  • MD5 Reborned Hasher 0.9.0 (md5rehasher@phoneixs.es)
  • NoScript 2.6.8.20 ({73a6fe31-595d-460b-a920-fcc0f8843232})
  • Password Exporter 1.2.1 ({B17C1C5A-04B1-11DB-9804-B622A1EF5492})
  • Quick Locale Switcher 1.7.8.5 ({25A1388B-6B18-46c3-BEBA-A81915D0DE8F})
  • Reader 4.5 ({20068ab2-1901-4140-9f3c-81207d4dacc4})
  • SmoothWheel (AMO) 0.45.8.20130519.3 ({5F590AA2-1221-4113-A6F4-A4BB62414FAC})
  • Troubleshooter 1.1a (troubleshooter@mozilla.org)
  • WOT 20131118 ({a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7})
  • Developer Tools - toolbar button 1.11 (devtoolsmenu@AccessFirefox.org) (Inactive)
  • Element Hiding Helper for Adblock Plus 1.2.3 (elemhidehelper@adblockplus.org) (Inactive)
  • Email Link button 0.9 ({2A638E17-DE1D-48d3-A4B7-39E9670FF77A}) (Inactive)
  • Firefox OS Simulator 4.0.1 (r2d2b2g@mozilla.org) (Inactive)
  • Flash and Video Download 1.54 ({bee6eb20-01e0-ebd1-da83-080329fb9a3a}) (Inactive)
  • Greasemonkey 1.15 ({e4a8a97b-f2ed-450b-b12d-ee082ba24781}) (Inactive)
  • Lightbeam 1.0.9 (jid1-F9UJ2thwoAm5gQ@jetpack) (Inactive)
  • MaskMe 1.40.349 (idme@abine.com) (Inactive)
  • Microsoft .NET Framework Assistant 1.3.1 ({20a82645-c095-46ed-80e3-08825760534b}) (Inactive)
  • NoSquint 2.1.9 (nosquint@urandom.ca) (Inactive)
  • PDF Viewer 0.8.1334 (uriloader@pdf.js) (Inactive)
  • QuickJava 2.0.4 ({E6C1199F-E687-42da-8C24-E7770CC3AE66}) (Inactive)
  • ReminderFox 2.1.5 ({ada4b710-8346-4b82-8199-5de2b400a6ae}) (Inactive)
  • Scriptish 0.1.11 (scriptish@erikvold.com) (Inactive)
  • Test Pilot 1.2.3 (testpilot@labs.mozilla.com) (Inactive)
  • Updater By Sweetpacks 2.0.0.605 ({8E9E3331-D360-4f87-8803-52DE43566502}) (Inactive)

Javascript

  • incrementalGCEnabled: True

Graphics

  • adapterDescription: Intel(R) HD Graphics 4000
  • adapterDescription2:
  • adapterDeviceID: 0x0166
  • adapterDeviceID2:
  • adapterDrivers: igdumdim64 igd10iumd64 igd10iumd64 igdumdim32 igd10iumd32 igd10iumd32
  • adapterDrivers2:
  • adapterRAM: Unknown
  • adapterRAM2:
  • adapterVendorID: 0x8086
  • adapterVendorID2:
  • direct2DEnabled: True
  • directWriteEnabled: True
  • directWriteVersion: 6.3.9600.16384
  • driverDate: 10-1-2013
  • driverDate2:
  • driverVersion: 10.18.10.3316
  • driverVersion2:
  • info: {u'AzureContentBackend': u'direct2d', u'AzureCanvasBackend': u'direct2d', u'AzureFallbackCanvasBackend': u'cairo', u'AzureSkiaAccelerated': 0}
  • isGPU2Active: False
  • numAcceleratedWindows: 3
  • numTotalWindows: 3
  • webglRenderer: Google Inc. -- ANGLE (Intel(R) HD Graphics 4000 Direct3D9Ex vs_3_0 ps_3_0)
  • windowLayerManagerRemote: False
  • windowLayerManagerType: Direct3D 10

Modified Preferences

  • accessibility.typeaheadfind.flashBar: 0
  • browser.cache.disk.capacity: 358400
  • browser.cache.disk.smart_size.first_run: False
  • browser.cache.disk.smart_size.use_old_max: False
  • browser.cache.disk.smart_size_cached_value: 358400
  • browser.newtab.url: http://search.conduit.com/?gd=&ctid=CT3321540&octid=EB_ORIGINAL_CTID&ISID=MF66718E7-2F38-4378-8AE1-2ABED148A63E&SearchSource=69&CUI=&SSPV=&Lay=1&UM=5&UP=SP1B6AC535-8607-444B-94DF-1EC94EB3FD55
  • browser.places.smartBookmarksVersion: 6
  • browser.search.useDBForOrder: True
  • browser.sessionstore.upgradeBackup.latestBuildID: 20140417185217
  • browser.startup.homepage: http://search.conduit.com/?gd=&ctid=CT3321540&octid=EB_ORIGINAL_CTID&ISID=MF66718E7-2F38-4378-8AE1-2ABED148A63E&SearchSource=55&CUI=&UM=5&UP=SP1B6AC535-8607-444B-94DF-1EC94EB3FD55&SSPV=
  • browser.startup.homepage_override.buildID: 20140417185217
  • browser.startup.homepage_override.mstone: 29.0
  • browser.tabs.warnOnClose: False
  • dom.max_chrome_script_run_time: 40
  • dom.max_script_run_time: 40
  • dom.mozApps.used: True
  • extensions.lastAppVersion: 29.0
  • font.internaluseonly.changed: False
  • gfx.direct3d.last_used_feature_level_idx: 0
  • network.cookie.prefsMigrated: True
  • places.database.lastMaintenance: 1398942235
  • places.history.expiration.transient_current_max_pages: 104858
  • plugin.disable_full_page_plugin_for_types: application/pdf,audio/x-mpeg,audio/mpeg
  • plugin.importedState: True
  • plugin.state.java: 0
  • privacy.donottrackheader.enabled: True
  • privacy.sanitize.migrateFx3Prefs: True
  • security.mixed_content.block_active_content: False
  • storage.vacuum.last.index: 1
  • storage.vacuum.last.places.sqlite: 1398271186

Misc

  • User JS: Yes
  • Accessibility: No
John99 971 solutions 13138 answers

I tend to avoid using Sync and do not follow the progress much. I wonder if there are already bug/wikis/plans to fix this ?

It would seem sensible given that someone wishes to sync that the passwords should be synacable even with a master password set. Maybe add an extra confirmation step if it is thought necessary. We should have a programmatic solution instead of making users jump through hoops on a workaround.

I tend to avoid using Sync and do not follow the progress much. I wonder if there are already bug/wikis/plans to fix this ? It would seem sensible given that someone wishes to sync that the passwords should be synacable even with a master password set. Maybe add an extra confirmation step if it is thought necessary. We should have a programmatic solution instead of making users jump through hoops on a workaround.
the-edmeister
  • Top 25 Contributor
  • Moderator
5387 solutions 39985 answers
   
1. turn the master password off and let the sync harvest the existing passwords
 2. turn the master password on
 4. do this on all the devices of concern  

I doubt if that would work. Without using a Master Password (MP) Firefox uses two files for storing password data. When the MP is used a third file is used, along with the first two.
Turn off off the MP and then Sync, the 3rd file wouldn't Sync (I suspect) and the Passwords would be useless.

Then there's the issue of when the user starts using a MP, any Passwords already saved aren't "protected" by the MP. Partial set of Passwords would Sync, if that 3rd file wouldn't be Sync'd. (Paternalistic behavior?)

I suspect that Mozilla might be concerned about Mobile devices becoming lost, complicated by the user accidentally syncing passwords on Mobile devices.
Then there is the Persona program.
http://www.mozilla.org/en-US/persona/
Why Sync Passwords when Persona is available and the user doesn't need passwords saved on any or every device?

In the "retail world" it's known as bundling of services. But with Firefox there's no extra cost - in fact it's all free! I suspect that is why the new Sync doesn't allow Sync with the MP feature turned on.

<pre><nowiki> 1. turn the master password off and let the sync harvest the existing passwords 2. turn the master password on 4. do this on all the devices of concern </nowiki></pre> I doubt if that would work. Without using a Master Password ''(MP)'' Firefox uses two files for storing password data. When the MP is used a third file is used, along with the first two.<br /> Turn off off the MP and then Sync, the 3rd file wouldn't Sync ''(I suspect)'' and the Passwords would be useless. Then there's the issue of when the user starts using a MP, any Passwords already saved aren't "protected" by the MP. Partial set of Passwords would Sync, if that 3rd file wouldn't be Sync'd. ''(Paternalistic behavior?)'' I suspect that Mozilla might be concerned about Mobile devices becoming lost, complicated by the user accidentally syncing passwords on Mobile devices. <br /> Then there is the Persona program. <br /> http://www.mozilla.org/en-US/persona/ <br/> Why Sync Passwords when Persona is available and the user doesn't need passwords saved on any or every device? In the "retail world" it's known as bundling of services. But with Firefox there's no extra cost - in fact it's all free! I suspect that is why the new Sync doesn't allow Sync with the MP feature turned on.

Question owner

I just want to have a cake and eat it too.

I added my 2c to the 993461 bug - which is a different story afaik.

Regards

smo

I just want to have a cake and eat it too. I added my 2c to the 993461 bug - which is a different story afaik. Regards smo
V@no 0 solutions 10 answers

Helpful Reply

I'm very disappointed the way Mozilla is heading to. This last v29 update really pushing my buttons. To me it seems Mozilla is trying get rid of it's user base, as it clearly lacking any common sense.

Now, this new master password vs sync issue really something else. I couldn't believe my eyes when I read the official "solution" provided. Were they high or something?

If they continue this trend, the solution after next update would be get a piece of paper and a pen and write down the passwords?

I'm very disappointed the way Mozilla is heading to. This last v29 update really pushing my buttons. To me it seems Mozilla is trying get rid of it's user base, as it clearly lacking any common sense. Now, this new master password vs sync issue really something else. I couldn't believe my eyes when I read the official "solution" provided. Were they high or something? If they continue this trend, the solution after next update would be get a piece of paper and a pen and write down the passwords?

Helpful Reply

@the-edmeister:

"bundling services" is fine, as long as the barn door is not left wide open, as is the case now with "no master password". What have they been smoking?

Regards

smo

@the-edmeister: "bundling services" is fine, as long as the barn door is not left wide open, as is the case now with "no master password". What have they been smoking? Regards smo
G-GR3G-G 0 solutions 2 answers

So how about using syncing the passwords along with the master password; syncing the master password along with the saved passwords?

 I realise that the master password would then have to be stored in mozilla's server, so as an alternative;
 Maybe instead of using a master password, if you wanted to use the 'master password' you would have to login to your mozilla account if you wanted to use the stored passwords?
 In any case, if you're not connected to the internet then I don't see why you would want to access your passwords... so if you were just checking a password by loading up firefox, the only reason for finding out the password would be so you can login to a site, REQUIRING internet anyway...
 and if your mozilla account was hacked, can your passwords be stolen anyway if you've set up sync for passwords?
 (or is there a 'was this you' message if the passwords are synced to an unknown PC?)
So how about using syncing the passwords along with the master password; syncing the master password along with the saved passwords? I realise that the master password would then have to be stored in mozilla's server, so as an alternative; Maybe instead of using a master password, if you wanted to use the 'master password' you would have to login to your mozilla account if you wanted to use the stored passwords? In any case, if you're not connected to the internet then I don't see why you would want to access your passwords... so if you were just checking a password by loading up firefox, the only reason for finding out the password would be so you can login to a site, REQUIRING internet anyway... and if your mozilla account was hacked, can your passwords be stolen anyway if you've set up sync for passwords? (or is there a 'was this you' message if the passwords are synced to an unknown PC?)
the-edmeister
  • Top 25 Contributor
  • Moderator
5387 solutions 39985 answers

Chosen Solution

https://bugzilla.mozilla.org/show_bug.cgi?id=995268#c58

"The issue in this bug is about the fact we no longer sync your passwords if you have a master-password enabled. We realize this is a significant limitation and we are working on a fix to bring things back to parity with the old sync. We do take this issue seriously, and the fix will almost certainly involve storing the FxA credentials in the login manager, so would be as protected by the master-password as any other passwords are."

https://bugzilla.mozilla.org/show_bug.cgi?id=995268#c58 '''"The issue in this bug is about the fact we no longer sync your passwords if you have a master-password enabled. We realize this is a significant limitation and we are working on a fix to bring things back to parity with the old sync. We do take this issue seriously, and the fix will almost certainly involve storing the FxA credentials in the login manager, so would be as protected by the master-password as any other passwords are."'''
John99 971 solutions 13138 answers

Obviously new sync has its flaws apparently due to abandoning the old pairing method in favour of everyone understands logins and emails. The restriction was considered necessary on security grounds.

Bug 970167#c49

I suppose there's probably not much here that hasn't already been mentioned by rnewman in bug 995268, but opening a previously-hidden bug is much more visible to the bad guys looking for juicy details to exploit.

And a comparison and explanation

Obviously new sync has its flaws apparently due to abandoning the old pairing method in favour of everyone understands logins and emails. The restriction was considered necessary on security grounds. Bug 970167#c49 ''I suppose there's probably not much here that hasn't already been mentioned by rnewman in bug 995268, but opening a previously-hidden bug is much more visible to the bad guys looking for juicy details to exploit.'' And a comparison and explanation * https://blog.mozilla.org/warner/2014/04/02/pairing-problems/ * https://blog.mozilla.org/warner/2014/05/23/the-new-sync-protocol/
Bill Roberts 0 solutions 2 answers

Is there a projected date for the development and release of a Master Password/SYNC fix? Until it's available, I can see that the quality of my Firefox experience will be severely diminished. SYNC and the Master password are 2 of the major features that have kept me a loyal Mozilla user. My bright and inquisitive grandchildren are always pointing out the wonders of their favorite new browser. Every time I try one, it would always come back to "Will it remember and protect my data (passwords included) and can I use it easily on the many devices I access." For instance the borrowed PC I booted with my ubuntu thumb drive and composed this message on. Please hurry and fix it!

Is there a projected date for the development and release of a Master Password/SYNC fix? Until it's available, I can see that the quality of my Firefox experience will be severely diminished. SYNC and the Master password are 2 of the major features that have kept me a loyal Mozilla user. My bright and inquisitive grandchildren are always pointing out the wonders of their favorite new browser. Every time I try one, it would always come back to "Will it remember and protect my data (passwords included) and can I use it easily on the many devices I access." For instance the borrowed PC I booted with my ubuntu thumb drive and composed this message on. Please hurry and fix it!
DeveloperChris 0 solutions 2 answers

I cannot understand why mozilla would take this route. It is a decision that reduces security. (by forcing me to remove my master password)

Not impressed I just downloaded and installed firefox on my android SPECIFICALLY for password syncing. Now I am told use a user tracking service (persona) to do my password.

Not going to happen!

Unimpressed. Bring back password syncing please.

I cannot understand why mozilla would take this route. It is a decision that reduces security. (by forcing me to remove my master password) Not impressed I just downloaded and installed firefox on my android SPECIFICALLY for password syncing. Now I am told use a user tracking service (persona) to do my password. Not going to happen! Unimpressed. Bring back password syncing please.
Doom2 0 solutions 1 answers

Yes this is very annoying.. Any update on a fix yet? I love the sync function but want my passwords to sync too.

Cheers D2

Yes this is very annoying.. Any update on a fix yet? I love the sync function but want my passwords to sync too. Cheers D2