Windows 10 will reach EOS (end of support) on October 14, 2025. For more information, see this article.

Search Support

Avoid support scams. We will never ask you to call or text a phone number or share personal information. Please report suspicious activity using the “Report Abuse” option.

Learn More

Firefox master password has been reset by something, other than me.

more options

Hi,

I have in the passed month reinstalled my Linux PC. during that process I recently my Firefox account and set my master password.

Yesterday, I re-synced Firefox.

Today I found out that my Firefox master password has been reset and anyone who could access my desktop would have complete access to any of my websites not protected by two factor authentication.

Is the master password synced?

So I have immediately reset it to the old password. as an initial step to protect my passwords locally.

I will shortly create a new random password and apply that as a new master password.

None of my website accounts appear to be compromised, yet. I have checked the ones I am most concerned about all of which have two factor authentication. I have not checked all of them by a long way.

I have several questions:

What can cause this?

What is at risk when this happens?

What should I do once I have discovered that my master password has been reset?

Should I change all the passwords of all my accounts?

If someone got access to my Firefox account could they re-sync to a different machine and have access to all my personal website data?

How can I protect against such a total disaster. At the moment the protection on this account is a password and an Authenticator App second line of defense. Although I was not asked for 2FA when logging into your support.

Hi, I have in the passed month reinstalled my Linux PC. during that process I recently my Firefox account and set my master password. Yesterday, I re-synced Firefox. Today I found out that my Firefox master password has been reset and anyone who could access my desktop would have complete access to any of my websites not protected by two factor authentication. Is the master password synced? So I have immediately reset it to the old password. as an initial step to protect my passwords locally. I will shortly create a new random password and apply that as a new master password. None of my website accounts appear to be compromised, yet. I have checked the ones I am most concerned about all of which have two factor authentication. I have not checked all of them by a long way. I have several questions: What can cause this? What is at risk when this happens? What should I do once I have discovered that my master password has been reset? Should I change all the passwords of all my accounts? If someone got access to my Firefox account could they re-sync to a different machine and have access to all my personal website data? How can I protect against such a total disaster. At the moment the protection on this account is a password and an Authenticator App second line of defense. Although I was not asked for 2FA when logging into your support.

All Replies (2)

more options

"I recently my Firefox account" should read "I re-synced my Firefox account at the time"

Helpful?

more options

The Primary Password (formerly known as Master Password) is purely local and does not sync. It typically differs from your Mozilla Account password. The Primary Password has only one role: it acts as a second factor along with key4.db to read the encrypted parts of the logins.json file. Ref. Use a Primary Password to protect stored logins and passwords.

Firefox will typically prompt you at the beginning of your session to enter the Primary Password in order to unlock your sync token. If you cancel at that point, Firefox will prompt you when you visit a page for which you have saved a login. Then Firefox usually will not prompt you to re-enter the Primary Password until you quit Firefox, unless you want to see or copy a password from the passwords page. Is it working that way for you right now?

As far as I know, there is no way for someone to remove your Primary Password without knowing the password, while preserving access to your saved logins. Is it possible there was some kind of OS-level rollback to an earlier logins.json/key4.db pair from before you set the Primary Password?

In terms of possible risks:

(1) If someone guesses your Mozilla Account password, they could in theory sync another installation of Firefox to your account to obtain your saved logins. Normally, Mozilla sends you a message when a new device connects to your Mozilla Account, so this should not occur without you being aware of it.

(2) If someone obtains physical access to the files on your computer, and can steal/exfiltrate the logins.json and key4.db files, and you are not using a Primary Password, then those two files alone will be sufficient to extract your saved logins. If you think that could have happened, then yes, it would make sense to change your passwords for those sites.

Helpful?

Ask a question

You must log in to your account to reply to posts. Please start a new question, if you do not have an account yet.