Are the logins stored in the manager encrypted even if you are NOT using a master password?
Hello. If I do not use a master password for the manager I know that someone who can physically access my PC could load up my profile and see my PWs.
What I am not clear on is the following. Could say a virus or trojan send some files from my profile to a hacker, who could then retrieve my PWs from that file or files?
Or will the PWs be stored encrypted anyway, despite my not using a Master PW? And? And so theoretically such files would be useless to anyone who steals them?
I am basically just unclear on whether the encryption and secure storage happens regardless, or only with a master PW.
All Replies (4)
The usernames and passwords are encrypted in the logins.json file, but you only need the key3.db file that stores the encryption key to be able to see the passwords in a Firefox instance by copying the two file to the profile folder. The master password adds an additional encryption level to the basic encryption done via a seed. Both encryption keys are stored in the key3.db file, so you need to backup both files if you want to do this.
To answer more directly: without a master password your pwd information is not stored in cleartext but only obfuscated. Anybody or any software that has access to your device will be able to retrieve your passwords. It is essential to set a master password if you want to protect against that.
Thanks for the info. Just to clarify something. When using a master PW, no matter what files a thief stole from a profile, they would still need to know the master PW? There are no files that would give all the "keys" and whatever else is needed to unlock the PWs, as is the case when NOT using a master?
If you use a weak master password (e.g. word that can be found in a dictionary) then it is theoretically possible to do a brute force attack to crack your password, but unless you have very sensitive data that is worth a lot of money then I don't think that a thief would take that trouble.