I save all my passwords directly on Firefox and lock them with a Master password, but I'd like to know if this is too risky. Has anyone seen a vulnerability in Firefox that allowed a malicious website to grab saved passwords?
There are regularly vulnerabilities like that, even Lastpass, which is supposedly more secure, suffer from them. http://www.bishopfox.com/news/2015/07/lastpass-site-password-stealing-clickjacking-vulnerability As for retrieving passwords stored in the browser, even with a master password, read this: 4. Autocomplete section. http://resources.infosecinstitute.com/browser-based-vulnerabilities-in-web-applications For important webpages, it is better to use an offline password manager. You can not beat a security triangle. More convenient = less security.
simple as that: dont store passwords which are really sensible - like banking or buying in general (ebay, amazon etc), admin actions. and change passwords regularly.
I'm pretty sure I remember seeing other browsers read password info from Firefox for example, which bothered me somewhat. It's probably possible that other apps or even the system (Win 10 for example) could do that (if you're in Win). I never store banking or other sensitive passwords anywhere, period.
I have 63 sites configured and use an a simple 10 character master password for convenience. By simple I mean my birthday mixed with three of my intials. i.e. d1903s2589g where the year 1989 is split as shown... XyymmXddyyX Typing that in has become more muscle memory than brain. The logins are for unimportant sites where I've created unique content profiles (news, entertainment), product and software sites for stuff I haven't purchased (no financial data), email sites I use for junk communication (yahoo, AOL and some others) and really really unimportant sites that need logins. Like forums. I don't use my real name or location for any of them. I clear Active Logins (among other History and ram cache) religiously. That means then the need to re-enter the password next time a configured site is visited. If anyone can steal my key3.db and logins.json files, I say... knock yourselves out. Other login data are stored locally and protected with a 24 complex character password and Serpent 256.
Thanks, but if you notice: The feature is convenient for users, as they don’t have to remember and enter the password, but it poses a problem if the user is using this feature on a shared or public computer. An attacker can easily retrieve the stored password from the browser. I only store passwords on my personal computer, which nobody else uses. Also, the page says: Even if the stored passwords are encrypted or protected by the master password (a password to access the stored passwords), an attacker can retrieve this password by visiting the application, for which the password is stored, in the browser. An attacker enters the username and the browser automatically fills the password field. I cannot reproduce this. When I open the browser and go to a website which I have a password stored, the browser will ask me for the master password. If I don't supply the correct password (or cancel the operation) no saved password will appear at all (on the mentioned website). Then the page says: The saved password can be accessed by navigating to: Firefox: Options → Security → Saved Password I cannot reproduce this either. No matter what I do, Firefox will ask me for the Master Password everytime I open "Saved Credentials". Thanks I guess I'm safe: Assuming that a strong (and unique) master password has been set, local storage of passwords in Firefox should be secure, as they are encrypted using a 256-bit AES cipher (as utilized by the US government for sensitive data, and generally considered very secure). I do consider such attack possible, but I'm not on Windows and I don't use proprietary browsers like Chrome (not even Chromium), so I shouldn't be vulnerable to it. The only proprietary program running here is Steam, and it is limited by Firejail so it can't read ".gnupg" or ".mozlla", for example (among many other limitations). Exactly Yeah, after typing them a few dozen times it's quite easy to remember, right? I used to memorize 3 64-character random passwords when I didn't have LVM implemented hehehehe.
Well, my impression/speculation (not enough technical knowledge to provide more robust statement than this) is that it's basically ok when the OS itself is properly secured. All the hype about Firefox password manager being insecure is mainly by marketing by Password Manager devs (Lastpass, Dashlane, etc.)