Search Support

Avoid support scams. We will never ask you to call or text a phone number or share personal information. Please report suspicious activity using the “Report Abuse” option.

Learn More

Are my password on the local PC not protected?

  • 1 reply
  • 0 have this problem
  • 3 views
  • Last reply by cor-el

more options

Hi, I've been using Firefox for decades and been saving passwords in it without any second thoughts, thinking they were fully secure.

Today I had to install a Yandex Browser for my work for the first time in my life (on a new clean Windows 10). It also asked to "make changes on my device", and I rejected it. What happened next absolutely terrified me. It immediately grabbed all the tabs, the sessions and, most importantly, the years worth of passwords from my Firefox. Does it mean that they just lie there unprotected, and any random piece of code even without the administrative privileges can just take them? I'm pretty sure I didn't click anything related to legitimate data sync.

Hi, I've been using Firefox for decades and been saving passwords in it without any second thoughts, thinking they were fully secure. Today I had to install a Yandex Browser for my work for the first time in my life (on a new clean Windows 10). It also asked to "make changes on my device", and I rejected it. What happened next absolutely terrified me. It immediately grabbed all the tabs, the sessions and, most importantly, the years worth of passwords from my Firefox. Does it mean that they just lie there unprotected, and any random piece of code even without the administrative privileges can just take them? I'm pretty sure I didn't click anything related to legitimate data sync.
Attached screenshots

Modified by nikitakirenkov

Chosen solution

Are you using the Primary Password to protect the logins with an extra layer of protection? If not then merely having access to logins.json and key4.db (encryption key) is sufficient to decrypt the logins. The logins stored in logins.json are encrypted with a key stored in key4.db, so having access to both files is sufficient to decrypt the logins. The PP encrypts the encryption key stored in key4.db, so you need to enter this PP to be able to unlock the logins.

Read this answer in context 👍 1

All Replies (1)

more options

Chosen Solution

Are you using the Primary Password to protect the logins with an extra layer of protection? If not then merely having access to logins.json and key4.db (encryption key) is sufficient to decrypt the logins. The logins stored in logins.json are encrypted with a key stored in key4.db, so having access to both files is sufficient to decrypt the logins. The PP encrypts the encryption key stored in key4.db, so you need to enter this PP to be able to unlock the logins.