Firefox password manager - is it secure?

[PhoenixWeb]

Hi

I use the Firefox password manager to save my website logins including online stores, and web-mail. I use the master password option for security.

Does anyone know how secure Firefox password manager is?

Are passwords stored in it encrypted?

[nadirah]

I do not know whether if stored passwords in firefox are encrypted or not, but I strongly recommend to set firefox to not remember any personal information such as passwords as it protects your privacy.

Uncheck the first three boxes in the 'privacy' tab in options.

[Arranger]

I use it for forum passwords and accessing other accounts that are non-risky, like hardware/product registrations and software support access. I wouldn't use it for any purchase-related or personal information guarding.

[Mem]

There have been exploits of the password manager so I would not recommend using it for now, http://secunia.com/advisories/23046/ . Far better is a separate password manager program like KeePass http://keepass.info/ which, if set up correctly, can fill in your passwords by a key combination or easy copy/paste operation.

[Arranger]

Quote:

Originally Posted by Mem

There have been exploits of the password manager so I would not recommend using it for now, http://secunia.com/advisories/23046/ . Far better is a separate password manager program like KeePass http://keepass.info/ which, if set up correctly, can fill in your passwords by a key combination or easy copy/paste operation.

Mozilla does not distribute KeePass as a readily-available plug-in/extension. Would you rate KeePass above other similar plug-ins made available through Mozilla's plug-in offerings?

Thanks for the advice. Looks really good!

[Mem]

Quote:

Originally Posted by Arranger

Mozilla does not distribute KeePass as a readily-available plug-in/extension. Would you rate KeePass above other similar plug-ins made available through Mozilla's plug-in offerings?

KeePass is a separate application for storing passwords. One advantage is that the program can be used across different browsers. Another is that you can add the program to a USB stick and carry it around for use, coupled with the key-disk and master password access security you have secure easy password access.

I don't have as much background on the extensions - do they encrypt the passwords in memory so cache replicating malware can't access the passwords? I don't have answers to a number of these type of security questions so I can't speak authoritatively on the extensions. But for me besides the known security features it's the portability and multiple browser access that makes it worthwhile coupled with usability features. These type of issues narrow down to personal preference many times.

Edit: Another stand alone program that is somewhat easier to use but doesn't have all the similar features is Password Safe, http://passwordsafe.sourceforge.net/ . I would also recommend this to others.

[Arranger]

Thanks for your description, Mem. Great reply.
Arranger

[PhoenixWeb]

Quote:

Originally Posted by Mem

There have been exploits of the password manager so I would not recommend using it for now, http://secunia.com/advisories/23046/ . Far better is a separate password manager program like KeePass http://keepass.info/ which, if set up correctly, can fill in your passwords by a key combination or easy copy/paste operation.

Mem - thanks for the info on KeePass. Initially I wasn't that impressed with it, although after playing with it for a while, I now think it is great!

I like the fact it is Open Source too...

Cheers!

[Mem]

You are welcome. That's probably KeePass's biggest drawback - it takes time to understand and be able to use some of it's best features. Many won't spend the time to go through that process. With new separate screen username and password authentication schemes with specialized graphics servers verifying a passphrase, the key combination method doesn't work and copy/paste clicking is the way to log in. From a website and user perspective it is safer but a little more cumbersome. It wouldn't work with the browser password managers either but is another point to be aware of.

For many, Password Safe is easier to use and does well if you don't want the additional features of KeePass.

(BTW, I have had some say they wouldn't trust a program named "Keep ass" so maybe it should be renamed to "Saveass")

[pilotart]

Another good one: PASSWORDMAKER

Copy below from above link:

Quote:

"...It is a small, lightweight, free, extension for Internet Explorer, Firefox, Mozilla, Netscape, Flock, and Yahoo! Widgets which creates unique, secure passwords that are very easy for you to retrieve but no one else. Nothing is stored anywhere, anytime, so there's nothing to be hacked, lost, or stolen. ..."

[Escalader]

Another is RoboForm, which encrypts all entries. If you don't exceed 15 enties I think it is free for use.

I use it on a USB stick, which when you aren't needing PSW's can be yanked out!

[Pedro]

I always set to not remember passwords, and save the passwords in my head. If you have a tendency to forget passwords, write them down, pen and paper . If you're afraid someone will read it, put it in your socks

[Genady Prishnikov]

Roboform. All entries for passwords, forms, notes are encrypted with your choice of AES, Triple-DES or Blowfish. I have the "Pro version" (unlimited passwords auto-login) and it's the best money I have ever spent on software. Period.

[Escalader]

Quote:

Originally Posted by Genady Prishnikov

Roboform. All entries for passwords, forms, notes are encrypted with your choice of AES, Triple-DES or Blowfish. I have the "Pro version" (unlimited passwords auto-login) and it's the best money I have ever spent on software. Period.

Hi Prishnikov:

I have that as well. Agree completly. If you don't use it or something similar

1. you won't use the strongest possible PSW/site
2. you expose yourself to keyloggers more that you need to!

There was just an update for it on FF ad on the other day.

[Pedro]

So it bypasses keyloggers?

[Mele20]

Roboform crashed Fx, then locked the computer so solidly that Task Manager was of no help. I had always heard good things about it but I had a horrible experience when I tried it a few months ago. I never use Fx Password Manager and there is bad exploit right now involving that for which Fx was scheduled to upgraded yesterday and the date got pushed back to next Tuesday. I have never used the Fx Password Manager. I just write down passwords and keep them in a folder.

[Genady Prishnikov]

Quote:

Originally Posted by Mele20

Roboform crashed Fx, then locked the computer so solidly that Task Manager was of no help. I had always heard good things about it but I had a horrible experience when I tried it a few months ago. I never use Fx Password Manager and there is bad exploit right now involving that for which Fx was scheduled to upgraded yesterday and the date got pushed back to next Tuesday. I have never used the Fx Password Manager. I just write down passwords and keep them in a folder.

Encrypted I hope. If you are going this route of just listing the passwords in a file, something like LockNote (free) is better than just a simple .txt file in a folder.

[Acadia]

Firefox password manager makes life easier for phishers:
http://www.heise-security.co.uk/news/81419

Acadia

[mrfargoreed]

This has been a very useful thread as I have always been worried about Firefox's Password Manager (or any other browser's for that matter).

Since reading this thread I have tried RoboForm and like it, but I am still unsure how secure it is. It's strange that something so important as our logins and passwords have so few encryption/security software to keep out data private.

For now I will stay with RoboForm as I tried Keepass but whenever I opened a link from within it it kept opening up IE and not Firefox, despite FF being my default browser.

[Mem]

Quote:

Originally Posted by mrfargoreed

For now I will stay with RoboForm as I tried Keepass but whenever I opened a link from within it it kept opening up IE and not Firefox, despite FF being my default browser.

This usually means the default program association in windows hasn't setup properly. If you want, you can check that default browser on opening is enabled in Fx and disabled in IE. Restart, open Fx and then go to Control Panel-> Add/remove programs-> Set Program Access and Defaults-> Custom and check use current browser.

Restart and see if has properly associated.

[dylanfan]

Quote:

Originally Posted by mrfargoreed

This has been a very useful thread as I have always been worried about Firefox's Password Manager (or any other browser's for that matter). [...] It's strange that something so important as our logins and passwords have so few encryption/security software to keep out data private.

Hi, you may want to compare and try Opera's Wand password manager + Opera's Master Password features. Strong encryption and working real great.

Cheers

[mrfargoreed]

Quote:

Originally Posted by Mem

This usually means the default program association in windows hasn't setup properly. If you want, you can check that default browser on opening is enabled in Fx and disabled in IE. Restart, open Fx and then go to Control Panel-> Add/remove programs-> Set Program Access and Defaults-> Custom and check use current browser.

Restart and see if has properly associated.

Tried this Mem - Firefox is definitely set as default browser. Very strange.

Quote:

Originally Posted by dylanfan

Hi, you may want to compare and try Opera's Wand password manager + Opera's Master Password features. Strong encryption and working real great.

I may well give it a go, but I am so used to Firefox. Last time I tried Opera (a while ago, I must admit) I found it too confusing and cluttered. Perhaps it is time to try it out again.

Thanks for your replies