Hi,

It may help if Firefox is closed (or if it's open, but you haven't entered the password yet). But generally the best protection is not to give anyone remote access to your computer (especially since I don't think there are many cases when it's really needed) :D

If you do not use the PP then merely having access to logins.json and key4.db is sufficient to inspect the logins by placing them in a Firefox profile folder or use a tool that can handle these two file. The PP encrypts the encryption key (seed) stored in key4.db. No changes are made to logins.json, this means that having access to a copy of key4.db that doesn't have the PP can also decrypt the logins.

You can inspect the current login state and login and logout and change the Primary Password via the Security Device Manager.

• Settings -> Privacy & Security
  Security -> Certificates -> Security Devices

In the left panel select "Software Security Device". You can find "Log In" and "Log Out" and "Change Password" in the very right panel. You may have to Zoom out the page or go full screen to make this right panel visible.

I am a member of the '"civilian" public and do not have technical expertise, so I couldn't follow your response. I want to know if the extra step of creating and using a Primary Password is worth the inconvenience of using it. Assume that I have set up a Primary Password but either I have not opened Firefox, or if on line using Firefox, I haven't entered the PP during that session. If I make a mistake by clicking on something I shouldn't have clicked on or somehow some scammer gets remote access to my computer (say through access to my email), can they see my user names and passwords (e.g., for a bank account) that I have entered in the past? Is there some sort of shadow copy of user names and passwords in my hard drive or elsewhere that someone with expertise can access? I know not to knowingly give remote access to my computer. It's the mistakes I'm worried about. Or would the scammer who has gained remote access just wait until I go on line and enter my PP and then see my key strokes anyway? The question is whether it's worth the inconvenience of using a PP if someone with tech knowledgeable can get into my financial accounts anyway. Is the primary reason to use a PP to guard against access to my physical laptop and really not helpful if someone gains remote access? I'm not concerned with the physical use of my laptop, it's the remote access. I realize this is a bit long winded, but I hope it explains my issue better.

There was a recent opinion piece in the New York Times where the author more or less said that with AI, passwords can be easily guessed.

Lisa, theoretically anyone who has sufficient access to your computer (whether remote or physical), could say install a keylogger and wait for you to entr the Primary Password.

Your only hope here would be that either you or your antivirus detects this beforehand.

Whereas without a Primary Password, your password database could be opened very quikly.

P.S. You may not be worried about the people in your household, but a Primary Password would help protect against thieves and nosy computer repair shop staff?