Store passwords securely in Firefox
Introduction
Most of us visit a lot of websites, and we have a need to login to many of these sites. We know that it would be a bad idea to use the same password for all online accounts, so we create unique passwords for each site. However, it is impossible for us to remember all of these passwords so we tell Firefox to remember them for us.
This provides great convenience, but it also creates a huge security risk. Anyone who sits down at your computer can view your passwords! If you don't believe me, try this in Firefox: "Edit" > "Preferences" > "Security" > "Show Passwords".
Fortunately, the smart people at Mozilla have created an improved way to store your passwords. This method requires creating a "Master Password" which is used to encrypt your online passwords. You can do this in Firefox by clicking on "Edit" > "Preferences" > "Security" and clicking on the button labeled "Use a master password".
When you are creating a Master Password, it is important that you create a strong password. Even though your passwords are encrypted, they can still be retrieved if someone can guess your Master Password. Someone has even created a password recovery tool called FireMaster that tries to find your password by using both dictionary and brute-force attacks.
Once you have created a Master Password, you will be asked for it the first time you try to login to an online account. Firefox will only ask for this password once per session . If you close and open Firefox you will need to enter it again.
If you are paranoid about this, there is also a Firefox extension that will force you to re-enter the Master Password after a certain length of inactivity. Of course, a simple screen-saver password would accomplish the same thing. ("System" > "Preferences" > "Screensaver" > "Lock screen when screensaver is active")
Feature Requests
A password generator would be useful when creating the master password and when creating new online accounts. Because your passwords are remembered by Firefox, you can get away with using highly complex passwords in all your online accounts. There is a Firefox extension that will help you generate secure passwords.
I also wish there was a way to easily synchronize my saved passwords on my work machine with my home machine, and my laptop. If I wanted to do this manually, I could install the Password Exporter Firefox extension which lets you export and import the passwords using encrypted text files. Google appears to have a great product to fill this need: Google Browser Sync. Just beware of the possible privacy and security risks of letting Google have access to your passwords, history, cookies, and favorites.
Most of us visit a lot of websites, and we have a need to login to many of these sites. We know that it would be a bad idea to use the same password for all online accounts, so we create unique passwords for each site. However, it is impossible for us to remember all of these passwords so we tell Firefox to remember them for us.
This provides great convenience, but it also creates a huge security risk. Anyone who sits down at your computer can view your passwords! If you don't believe me, try this in Firefox: "Edit" > "Preferences" > "Security" > "Show Passwords".
Fortunately, the smart people at Mozilla have created an improved way to store your passwords. This method requires creating a "Master Password" which is used to encrypt your online passwords. You can do this in Firefox by clicking on "Edit" > "Preferences" > "Security" and clicking on the button labeled "Use a master password".
When you are creating a Master Password, it is important that you create a strong password. Even though your passwords are encrypted, they can still be retrieved if someone can guess your Master Password. Someone has even created a password recovery tool called FireMaster that tries to find your password by using both dictionary and brute-force attacks.
Once you have created a Master Password, you will be asked for it the first time you try to login to an online account. Firefox will only ask for this password once per session . If you close and open Firefox you will need to enter it again.
If you are paranoid about this, there is also a Firefox extension that will force you to re-enter the Master Password after a certain length of inactivity. Of course, a simple screen-saver password would accomplish the same thing. ("System" > "Preferences" > "Screensaver" > "Lock screen when screensaver is active")
Feature Requests
A password generator would be useful when creating the master password and when creating new online accounts. Because your passwords are remembered by Firefox, you can get away with using highly complex passwords in all your online accounts. There is a Firefox extension that will help you generate secure passwords.
I also wish there was a way to easily synchronize my saved passwords on my work machine with my home machine, and my laptop. If I wanted to do this manually, I could install the Password Exporter Firefox extension which lets you export and import the passwords using encrypted text files. Google appears to have a great product to fill this need: Google Browser Sync. Just beware of the possible privacy and security risks of letting Google have access to your passwords, history, cookies, and favorites.
There is also an awesome extension called PasswordMaker which basically combines every function you listed. It allows for storing passwords securely (using a Master Password to unlock / use them) and generating secure passwords for sites. It also allows you to export all of your saved passwords to a file that can be re-imported, solving your synch issues between multiple machines without the need for installing yet another extension. It really is a much better solution than the built-in password manager.
ReplyDeleteWell I though there was a vulnerability issue with this functionality:
ReplyDeletehttp://it.slashdot.org/article.pl?sid=06/11/21/2319243&from=rss
I therefore (sadly) stopped using this. I don't know if it has been solved yet.
There is a security issue either using master password or not, and it's not solved yet, and Mozilla foundation hasn't talked officially about that.
ReplyDeleteSad...
Can't say that I agree with storing passwords, but to each his own. I guess I am too paranoid.
ReplyDeleteHowever I thought I would say, nice blog. I have been tracking it for some time I think I first saw it from SLLUG posting once, otherwise I dunno how I found it. I also am in Utah and use Ubuntu, Ubuntu Server, and Xubuntu! Keep up the good work and if you want check out my Blog as well. I have much more coming on Linux and Open Source as well.
Great Article!
ReplyDeleteThanks.
If you are going to use multiple strong and complex passwords you definitely need a password manager. Software solutions are certainly an option, but I think you could also consider the alternative provided by online password managers.
ReplyDelete(I know, I'm a tad biased since I'm the co-founder of Clipperz ...)
Clipperz can do much more than simply storing your passwords.
- ubiquitous access
- direct login to online services
- offline version
- bookmarklet for quick data entering
- ....
It’s free and completely anonymous. Give it a try and let me know your impressions.
PS
From an open source point of view: all Clipperz source code is available for security reviews. The core crypto functions have been implemented in Javascript and released under a BDS license: the Clipperz Crypto Library is available here
http://code.google.com/p/clipperz
Regards,
Marco
Hi,
ReplyDeleteYou might want to take at this extension that i developed for the password sync'ing between profiles. It does require an ftp server though.
This is the code, and i also have the xpi built.
http://www.codedemigod.com/projects/syncextension.tar.bz2
I built it for myself, so it doesn't do a lot of things, but it worked for me.
You CAN now sync Firefox passwords between PC's. Foxmarks, the bookmark sych add-in now includes password sync.
ReplyDeleteAs for security, I advise keeping your financial/personal website passwords sync'd to with an encrypted DB app such as SplashId and only your "conveniece" passwords on your browser.