Search Support

Avoid support scams. We will never ask you to call or text a phone number or share personal information. Please report suspicious activity using the “Report Abuse” option.

Learn More

How secure is the Firefox master password feature? How long would it take someone to discover your password using a "password recovery" tool? What is being done to improve the security of the master password feature to make it truly secure?

  • 1 reply
  • 1 has this problem
  • 200 views
  • Last reply by cor-el

more options

If you do a search for "firefox master password recovery", you'll find a large number of links to software that will "recover" the master password, effectively defeating this security. I know that in the past, these have been pretty quick to use, but a recent search resulted in one that uses a brute force method, so it appears that you have improved on the security. If a brute force method is required, is it possible to use some method of encryption that would be so slow as to make this technique infeasible?

If you do a search for "firefox master password recovery", you'll find a large number of links to software that will "recover" the master password, effectively defeating this security. I know that in the past, these have been pretty quick to use, but a recent search resulted in one that uses a brute force method, so it appears that you have improved on the security. If a brute force method is required, is it possible to use some method of encryption that would be so slow as to make this technique infeasible?

All Replies (1)

more options

If you use a weak master password that can easily be constructed via a dictionary look up then it doesn't matter how long that password is.

If you want to make it difficult then use a MP that contains uppercase and lowercase characters (e.g. a-z, A-Z) and have digits (0-9) and punctuation characters and symbols (`~!@#$%&*()-_=+[]{}\;:'",.<>/?) and the length should at least be 8, but better use at least 12.

Never use words that can be found or constructed via a dictionary look up, even if there are numbers added or some characters have a different case.

See also http://en.wikipedia.org/wiki/Password_strength


The names and passwords are encrypted with a Triple-DES key that is stored in key3.db and a master password adds an additional level to that encryption.
If you do not use a master password then having access to key3.db and signons.sqlite is sufficient to have access to the encrypted names and passwords.
Make sure that you remember that master password or else all your passwords are lost.

See http://en.wikipedia.org/wiki/Triple_DES - TripleDES (CBC mode)

Modified by cor-el