Store passwords securely in Firefox

Introduction

Most of us visit a lot of websites, and we have a need to login to many of these sites. We know that it would be a bad idea to use the same password for all online accounts, so we create unique passwords for each site. However, it is impossible for us to remember all of these passwords so we tell Firefox to remember them for us.

This provides great convenience, but it also creates a huge security risk. Anyone who sits down at your computer can view your passwords! If you don't believe me, try this in Firefox: "Edit" > "Preferences" > "Security" > "Show Passwords".

Fortunately, the smart people at Mozilla have created an improved way to store your passwords. This method requires creating a "Master Password" which is used to encrypt your online passwords. You can do this in Firefox by clicking on "Edit" > "Preferences" > "Security" and clicking on the button labeled "Use a master password".


When you are creating a Master Password, it is important that you create a strong password. Even though your passwords are encrypted, they can still be retrieved if someone can guess your Master Password. Someone has even created a password recovery tool called FireMaster that tries to find your password by using both dictionary and brute-force attacks.

Once you have created a Master Password, you will be asked for it the first time you try to login to an online account. Firefox will only ask for this password once per session . If you close and open Firefox you will need to enter it again.

If you are paranoid about this, there is also a Firefox extension that will force you to re-enter the Master Password after a certain length of inactivity. Of course, a simple screen-saver password would accomplish the same thing. ("System" > "Preferences" > "Screensaver" > "Lock screen when screensaver is active")

Feature Requests

A password generator would be useful when creating the master password and when creating new online accounts. Because your passwords are remembered by Firefox, you can get away with using highly complex passwords in all your online accounts. There is a Firefox extension that will help you generate secure passwords.

I also wish there was a way to easily synchronize my saved passwords on my work machine with my home machine, and my laptop. If I wanted to do this manually, I could install the Password Exporter Firefox extension which lets you export and import the passwords using encrypted text files. Google appears to have a great product to fill this need: Google Browser Sync. Just beware of the possible privacy and security risks of letting Google have access to your passwords, history, cookies, and favorites.

Comments

  1. Anonymous2/21/2007 2:05 AM

    There is also an awesome extension called PasswordMaker which basically combines every function you listed. It allows for storing passwords securely (using a Master Password to unlock / use them) and generating secure passwords for sites. It also allows you to export all of your saved passwords to a file that can be re-imported, solving your synch issues between multiple machines without the need for installing yet another extension. It really is a much better solution than the built-in password manager.

    ReplyDelete
  2. Anonymous2/21/2007 8:53 AM

    Well I though there was a vulnerability issue with this functionality:

    http://it.slashdot.org/article.pl?sid=06/11/21/2319243&from=rss

    I therefore (sadly) stopped using this. I don't know if it has been solved yet.

    ReplyDelete
  3. Anonymous2/21/2007 11:05 AM

    There is a security issue either using master password or not, and it's not solved yet, and Mozilla foundation hasn't talked officially about that.

    Sad...

    ReplyDelete
  4. Unknown2/21/2007 2:57 PM

    Can't say that I agree with storing passwords, but to each his own. I guess I am too paranoid.

    However I thought I would say, nice blog. I have been tracking it for some time I think I first saw it from SLLUG posting once, otherwise I dunno how I found it. I also am in Utah and use Ubuntu, Ubuntu Server, and Xubuntu! Keep up the good work and if you want check out my Blog as well. I have much more coming on Linux and Open Source as well.

    ReplyDelete
  5. Anonymous2/23/2007 2:24 AM

    Great Article!

    Thanks.

    ReplyDelete
  6. Marco Barulli3/29/2007 10:24 AM

    If you are going to use multiple strong and complex passwords you definitely need a password manager. Software solutions are certainly an option, but I think you could also consider the alternative provided by online password managers.

    (I know, I'm a tad biased since I'm the co-founder of Clipperz ...)

    Clipperz can do much more than simply storing your passwords.
    - ubiquitous access
    - direct login to online services
    - offline version
    - bookmarklet for quick data entering
    - ....

    It’s free and completely anonymous. Give it a try and let me know your impressions.

    PS
    From an open source point of view: all Clipperz source code is available for security reviews. The core crypto functions have been implemented in Javascript and released under a BDS license: the Clipperz Crypto Library is available here
    http://code.google.com/p/clipperz

    Regards,
    Marco

    ReplyDelete
  7. Anonymous5/01/2007 2:35 PM

    Hi,
    You might want to take at this extension that i developed for the password sync'ing between profiles. It does require an ftp server though.
    This is the code, and i also have the xpi built.

    http://www.codedemigod.com/projects/syncextension.tar.bz2

    I built it for myself, so it doesn't do a lot of things, but it worked for me.

    ReplyDelete
  8. Anonymous11/24/2008 5:03 PM

    You CAN now sync Firefox passwords between PC's. Foxmarks, the bookmark sych add-in now includes password sync.

    As for security, I advise keeping your financial/personal website passwords sync'd to with an encrypted DB app such as SplashId and only your "conveniece" passwords on your browser.

    ReplyDelete

Post a Comment

Popular posts from this blog

Using the Cisco console in Linux

Image
Introduction People who work with Cisco network equipment need to be able to connect to the console port on their devices. In Windows, you can simply fire up HyperTerminal to get basic access to your devices. If you are using Linux, then you need to know how this can be done with an application called Minicom . Hardware First, you are going to need a Cisco console cable , a Cisco device, and a computer. If your computer has a serial port , then you can use the standard console cable that comes with every Cisco device. If you do not have a serial port (like most new laptops), then you need to purchase a USB to Serial adapter that supports Linux. This device will allow you to use the standard Cisco cable, which has a serial port on one end. Install Minicom You can easily install Minicom by using "System > Administration > Synaptic Package Manager". Search for "minicom" and choose to install the package. Click "Apply" and Minicom should be insta
Read more

What it takes to make Ubuntu ready for use

I recently installed Ubuntu 6.10 on a new PC at work. In this post I will document all the steps I had to perform to get it ready for everyday use. Each step is assigned a level of difficulty, which I define below: Very Easy Step can be completed without using the command prompt Intuitive to complete Easy Step can be completed without using the command prompt May require searching to find the right place to make the change Medium Requires a single command to be entered at the command prompt Requires searching internet resources to find the solution Hard Requires multiple commands to be entered at the command prompt Requires searching internet resources to find the solution Very Hard Requires multiple commands to be entered at the command prompt Requires searching internet resources to find the solution Requires the user to manually edit a configuration file These criteria are quite strict, because I believe that using an operating system should be intuitive, and not require any spec
Read more

Five ways to use Windows apps in Linux

Image
1. Use an open source alternative instead When someone asks me if they can run "Windows Application X" on Linux, the first thing I tell them is to look for an open source alternative. For most Windows applications, there will be a high-quality open source alternative that can meet their needs. The biggest hurdle for non-Linux people is simply knowing that these alternative exist and how to find them. The best place I have found to search for these applications is at www.osalt.com . On that site, you can enter the name of the Windows application and it will list the open source alternatives that provide similar functionality. Be sure to check it out. 2. Buy a commercial product that was designed for Linux If you cannot find an open source alternative, and you have not already purchased a Windows application, then you should consider purchasing a commercial product that was designed for Linux. Here is a story of a civil engineer who wanted to find an open source replacemen
Read more