Join the AMA (Ask Me Anything) with the Firefox leadership team to celebrate Firefox 20th anniversary and discuss Firefox’s future on Mozilla Connect. Mark your calendar on Thursday, November 14, 18:00 - 20:00 UTC!

Támogatás keresése

Kerülje el a támogatási csalásokat. Sosem kérjük arra, hogy hívjon fel egy telefonszámot vagy osszon meg személyes információkat. Jelentse a gyanús tevékenységeket a „Visszaélés bejelentése” lehetőséggel.

További tudnivalók

A témacsoportot lezárták és archiválták. Tegyen fel új kérdést, ha segítségre van szüksége.

A small suggestion about the "MASTERE PASSWORD" and how it works.

  • 5 válasz
  • 2 embernek van ilyen problémája
  • 1 megtekintés
  • Utolsó üzenet ettől: cor-el

more options

This is more me "thinking aloud" about the master password and how (I think) it works.

My take is that: Without it being set, all you saved logins can be seen and any saved passwords are accessible to anyone. Including remote programs, etc.

So, you set a master password, and all is good. Or is it?

Here's my concern:

You go to a site and it asks you for your login/password. They are either saved or you save them. You are prompted for the master password and they are either saved or retrieved.

You go to another site and the saved log in is auto-completed with no input from you. That's good in that scenario.

But say you get some nasty software. It starts looking through your saved logins.

What is stopping it basically getting them all without your knowledge?

My suggestion is - though some may complain - that even if you have entered your master password, when a site requests access to your saved logins (or how ever it works) you are told with a simple "Site log in requested".

I may be wrong in my concerns but I feel it is worth asking/mentioning so the problem can be addressed or my fears allayed.

Thanks very much in advance.

This is more me "thinking aloud" about the master password and how (I think) it works. My take is that: Without it being set, all you saved logins can be seen and any saved passwords are accessible to anyone. Including remote programs, etc. So, you set a master password, and all is good. Or is it? Here's my concern: You go to a site and it asks you for your login/password. They are either saved or you save them. You are prompted for the master password and they are either saved or retrieved. You go to another site and the saved log in is auto-completed with no input from you. That's good in that scenario. But say you get some nasty software. It starts looking through your saved logins. What is stopping it basically getting them all without your knowledge? My suggestion is - though some may complain - that even if you have entered your master password, when a site requests access to your saved logins (or how ever it works) you are told with a simple "Site log in requested". I may be wrong in my concerns but I feel it is worth asking/mentioning so the problem can be addressed or my fears allayed. Thanks very much in advance.

Kiválasztott megoldás

teeny_weeny said

My take is that: Without it being set, all you saved logins can be seen and any saved passwords are accessible to anyone. Including remote programs, etc.

Without a Master Password, the local files can be scooped up and read by anyone with physical access to the disk. Ordinary websites and add-ons can't do that, but if remote access were granted to malware were installed, then there's a big problem.

So, you set a master password, and all is good. Or is it?
Here's my concern:
You go to a site and it asks you for your login/password. They are either saved or you save them. You are prompted for the master password and they are either saved or retrieved.
You go to another site and the saved log in is auto-completed with no input from you. That's good in that scenario.
But say you get some nasty software. It starts looking through your saved logins. What is stopping it basically getting them all without your knowledge?

I think the malware would need to capture your Master Password as you type it (keylogger) or would need to watch web pages as you browse. It wouldn't be able to just read the files on disk as in the scenario with no Master Password.

My suggestion is - though some may complain - that even if you have entered your master password, when a site requests access to your saved logins (or how ever it works) you are told with a simple "Site log in requested".

So not as painful as having to re-type your Master Password, but taking some affirmative act to fill the form? I have a suggestion.

One way to prevent websites from grabbing your login information from your password manager is to turn off autofill. Firefox will show your username(s) for the site in a drop-down from the username and password fields instead of filling anything automatically. I recommend this change if you are not in too much of a hurry and don't mind selecting it yourself. There's a checkbox for that on the Options page, Privacy & Security panel, Logins and Passwords section:

What do you think?

Válasz olvasása eredeti szövegkörnyezetben 👍 1

Összes válasz (5)

more options

Kiválasztott megoldás

teeny_weeny said

My take is that: Without it being set, all you saved logins can be seen and any saved passwords are accessible to anyone. Including remote programs, etc.

Without a Master Password, the local files can be scooped up and read by anyone with physical access to the disk. Ordinary websites and add-ons can't do that, but if remote access were granted to malware were installed, then there's a big problem.

So, you set a master password, and all is good. Or is it?
Here's my concern:
You go to a site and it asks you for your login/password. They are either saved or you save them. You are prompted for the master password and they are either saved or retrieved.
You go to another site and the saved log in is auto-completed with no input from you. That's good in that scenario.
But say you get some nasty software. It starts looking through your saved logins. What is stopping it basically getting them all without your knowledge?

I think the malware would need to capture your Master Password as you type it (keylogger) or would need to watch web pages as you browse. It wouldn't be able to just read the files on disk as in the scenario with no Master Password.

My suggestion is - though some may complain - that even if you have entered your master password, when a site requests access to your saved logins (or how ever it works) you are told with a simple "Site log in requested".

So not as painful as having to re-type your Master Password, but taking some affirmative act to fill the form? I have a suggestion.

One way to prevent websites from grabbing your login information from your password manager is to turn off autofill. Firefox will show your username(s) for the site in a drop-down from the username and password fields instead of filling anything automatically. I recommend this change if you are not in too much of a hurry and don't mind selecting it yourself. There's a checkbox for that on the Options page, Privacy & Security panel, Logins and Passwords section:

What do you think?

more options

Thanks for clearing that confusion up.

Shall search for what you suggested and turn it off.

more options

I don't want to suggest we can get rid of the risk of passwords being scraped from web pages, but at least we can get rid of fake or hidden forms being filled automatically.

more options

Yes. Thanks. I did what you suggested and that shall allay most fears.

more options

On Linux this would normally not much of an issue.

Note that you can logout of the software security device (Password Manager) by canceling a master password prompt that you get when you want to view a password in Lockwise.