Firefox password manager - is it secure?

Discussion in 'privacy technology' started by PhoenixWeb, Feb 14, 2007.

Thread Status:
Not open for further replies.
  1. PhoenixWeb

    PhoenixWeb Registered Member

    Joined:
    Dec 7, 2006
    Posts:
    76
    Location:
    Southampton, UK
    Hi

    I use the Firefox password manager to save my website logins including online stores, and web-mail. I use the master password option for security.

    Does anyone know how secure Firefox password manager is?

    Are passwords stored in it encrypted?
     
  2. nadirah

    nadirah Registered Member

    Joined:
    Oct 14, 2003
    Posts:
    3,647
    I do not know whether if stored passwords in firefox are encrypted or not, but I strongly recommend to set firefox to not remember any personal information such as passwords as it protects your privacy.

    Uncheck the first three boxes in the 'privacy' tab in options.
     
  3. Arranger

    Arranger Registered Member

    Joined:
    Oct 2, 2005
    Posts:
    21
    I use it for forum passwords and accessing other accounts that are non-risky, like hardware/product registrations and software support access. I wouldn't use it for any purchase-related or personal information guarding.
     
  4. Mem

    Mem Registered Member

    Joined:
    Mar 7, 2005
    Posts:
    292
    There have been exploits of the password manager so I would not recommend using it for now, http://secunia.com/advisories/23046/ . Far better is a separate password manager program like KeePass http://keepass.info/ which, if set up correctly, can fill in your passwords by a key combination or easy copy/paste operation.
     
  5. Arranger

    Arranger Registered Member

    Joined:
    Oct 2, 2005
    Posts:
    21
    Mozilla does not distribute KeePass as a readily-available plug-in/extension. Would you rate KeePass above other similar plug-ins made available through Mozilla's plug-in offerings?

    Thanks for the advice. Looks really good! :)
     
  6. Mem

    Mem Registered Member

    Joined:
    Mar 7, 2005
    Posts:
    292
    KeePass is a separate application for storing passwords. One advantage is that the program can be used across different browsers. Another is that you can add the program to a USB stick and carry it around for use, coupled with the key-disk and master password access security you have secure easy password access.

    I don't have as much background on the extensions - do they encrypt the passwords in memory so cache replicating malware can't access the passwords? I don't have answers to a number of these type of security questions so I can't speak authoritatively on the extensions. But for me besides the known security features it's the portability and multiple browser access that makes it worthwhile coupled with usability features. These type of issues narrow down to personal preference many times.

    Edit: Another stand alone program that is somewhat easier to use but doesn't have all the similar features is Password Safe, http://passwordsafe.sourceforge.net/ . I would also recommend this to others.
     
    Last edited: Feb 14, 2007
  7. Arranger

    Arranger Registered Member

    Joined:
    Oct 2, 2005
    Posts:
    21
    Thanks for your description, Mem. Great reply.
    Arranger
     
  8. PhoenixWeb

    PhoenixWeb Registered Member

    Joined:
    Dec 7, 2006
    Posts:
    76
    Location:
    Southampton, UK
    Mem - thanks for the info on KeePass. Initially I wasn't that impressed with it, although after playing with it for a while, I now think it is great!

    I like the fact it is Open Source too...

    Cheers!
     
  9. Mem

    Mem Registered Member

    Joined:
    Mar 7, 2005
    Posts:
    292
    You are welcome. That's probably KeePass's biggest drawback - it takes time to understand and be able to use some of it's best features. Many won't spend the time to go through that process. With new separate screen username and password authentication schemes with specialized graphics servers verifying a passphrase, the key combination method doesn't work and copy/paste clicking is the way to log in. From a website and user perspective it is safer but a little more cumbersome. It wouldn't work with the browser password managers either but is another point to be aware of.

    For many, Password Safe is easier to use and does well if you don't want the additional features of KeePass.

    (BTW, I have had some say they wouldn't trust a program named "Keep ass" so maybe it should be renamed to "Saveass") :D
     
  10. pilotart

    pilotart Registered Member

    Joined:
    Feb 14, 2006
    Posts:
    377
    Another good one: PASSWORDMAKER

    Copy below from above link:

     
  11. Escalader

    Escalader Registered Member

    Joined:
    Dec 12, 2005
    Posts:
    3,710
    Location:
    Land of the Mooses
    Another is RoboForm, which encrypts all entries. If you don't exceed 15 enties I think it is free for use.

    I use it on a USB stick, which when you aren't needing PSW's can be yanked out!
     
  12. Pedro

    Pedro Registered Member

    Joined:
    Nov 2, 2006
    Posts:
    3,502
    I always set to not remember passwords, and save the passwords in my head. If you have a tendency to forget passwords, write them down, pen and paper:) . If you're afraid someone will read it, put it in your socks:D
     
  13. Genady Prishnikov

    Genady Prishnikov Registered Member

    Joined:
    Mar 9, 2006
    Posts:
    350
    Roboform. All entries for passwords, forms, notes are encrypted with your choice of AES, Triple-DES or Blowfish. I have the "Pro version" (unlimited passwords auto-login) and it's the best money I have ever spent on software. Period.
     
  14. Escalader

    Escalader Registered Member

    Joined:
    Dec 12, 2005
    Posts:
    3,710
    Location:
    Land of the Mooses
    Hi Prishnikov:

    I have that as well. Agree completly. If you don't use it or something similar
    1. you won't use the strongest possible PSW/site
    2. you expose yourself to keyloggers more that you need to!

    There was just an update for it on FF ad on the other day.
     
  15. Pedro

    Pedro Registered Member

    Joined:
    Nov 2, 2006
    Posts:
    3,502
    So it bypasses keyloggers?
     
  16. Mele20

    Mele20 Former Poster

    Joined:
    Apr 29, 2002
    Posts:
    2,495
    Location:
    Hilo, Hawaii
    Roboform crashed Fx, then locked the computer so solidly that Task Manager was of no help. I had always heard good things about it but I had a horrible experience when I tried it a few months ago. I never use Fx Password Manager and there is bad exploit right now involving that for which Fx was scheduled to upgraded yesterday and the date got pushed back to next Tuesday. I have never used the Fx Password Manager. I just write down passwords and keep them in a folder.
     
  17. Genady Prishnikov

    Genady Prishnikov Registered Member

    Joined:
    Mar 9, 2006
    Posts:
    350
    Encrypted I hope. If you are going this route of just listing the passwords in a file, something like LockNote (free) is better than just a simple .txt file in a folder.
     
  18. Acadia

    Acadia Registered Member

    Joined:
    Sep 8, 2002
    Posts:
    4,048
    Location:
    SouthCentral PA
  19. mrfargoreed

    mrfargoreed Registered Member

    Joined:
    Jun 16, 2006
    Posts:
    356
    This has been a very useful thread as I have always been worried about Firefox's Password Manager (or any other browser's for that matter).

    Since reading this thread I have tried RoboForm and like it, but I am still unsure how secure it is. It's strange that something so important as our logins and passwords have so few encryption/security software to keep out data private.

    For now I will stay with RoboForm as I tried Keepass but whenever I opened a link from within it it kept opening up IE and not Firefox, despite FF being my default browser.
     
  20. Mem

    Mem Registered Member

    Joined:
    Mar 7, 2005
    Posts:
    292
    This usually means the default program association in windows hasn't setup properly. If you want, you can check that default browser on opening is enabled in Fx and disabled in IE. Restart, open Fx and then go to Control Panel-> Add/remove programs-> Set Program Access and Defaults-> Custom and check use current browser.

    Restart and see if has properly associated.
     
  21. dylanfan

    dylanfan Registered Member

    Joined:
    Feb 10, 2006
    Posts:
    187
    Hi, you may want to compare and try Opera's Wand password manager + Opera's Master Password features. Strong encryption and working real great.

    Cheers
     
  22. mrfargoreed

    mrfargoreed Registered Member

    Joined:
    Jun 16, 2006
    Posts:
    356
    Tried this Mem - Firefox is definitely set as default browser. Very strange.


    I may well give it a go, but I am so used to Firefox. Last time I tried Opera (a while ago, I must admit) I found it too confusing and cluttered. Perhaps it is time to try it out again.

    Thanks for your replies :thumb:
     
Loading...
Thread Status:
Not open for further replies.