
Firefox master password has been reset by something, other than me.
Hi,
I have in the passed month reinstalled my Linux PC. during that process I recently my Firefox account and set my master password.
Yesterday, I re-synced Firefox.
Today I found out that my Firefox master password has been reset and anyone who could access my desktop would have complete access to any of my websites not protected by two factor authentication.
Is the master password synced?
So I have immediately reset it to the old password. as an initial step to protect my passwords locally.
I will shortly create a new random password and apply that as a new master password.
None of my website accounts appear to be compromised, yet. I have checked the ones I am most concerned about all of which have two factor authentication. I have not checked all of them by a long way.
I have several questions:
What can cause this?
What is at risk when this happens?
What should I do once I have discovered that my master password has been reset?
Should I change all the passwords of all my accounts?
If someone got access to my Firefox account could they re-sync to a different machine and have access to all my personal website data?
How can I protect against such a total disaster. At the moment the protection on this account is a password and an Authenticator App second line of defense. Although I was not asked for 2FA when logging into your support.
All Replies (2)
"I recently my Firefox account" should read "I re-synced my Firefox account at the time"
The Primary Password (formerly known as Master Password) is purely local and does not sync. It typically differs from your Mozilla Account password. The Primary Password has only one role: it acts as a second factor along with key4.db to read the encrypted parts of the logins.json file. Ref. Use a Primary Password to protect stored logins and passwords.
Firefox will typically prompt you at the beginning of your session to enter the Primary Password in order to unlock your sync token. If you cancel at that point, Firefox will prompt you when you visit a page for which you have saved a login. Then Firefox usually will not prompt you to re-enter the Primary Password until you quit Firefox, unless you want to see or copy a password from the passwords page. Is it working that way for you right now?
As far as I know, there is no way for someone to remove your Primary Password without knowing the password, while preserving access to your saved logins. Is it possible there was some kind of OS-level rollback to an earlier logins.json/key4.db pair from before you set the Primary Password?
In terms of possible risks:
(1) If someone guesses your Mozilla Account password, they could in theory sync another installation of Firefox to your account to obtain your saved logins. Normally, Mozilla sends you a message when a new device connects to your Mozilla Account, so this should not occur without you being aware of it.
(2) If someone obtains physical access to the files on your computer, and can steal/exfiltrate the logins.json and key4.db files, and you are not using a Primary Password, then those two files alone will be sufficient to extract your saved logins. If you think that could have happened, then yes, it would make sense to change your passwords for those sites.