Firefox gives users the ability to easily log on to their favorite sites without having to re-enter their passwords every time. It does this by keeping an encrypted form of the passwords in a file usually called signons*.txt in the user’s Firefox profile folder. The key used to decrypt these passwords is stored in the same folder under the name key3.db (this file also stores other important information related to keys and encryption).

So, unless a user disables this ability, it is trivial for another user to either copy the signon*.txt and key3.db files to examine later, or simply display the passwords within Firefox and write them down (Tools->Options->Security->Saved passwords->Show passwords). This user could be anyone with access to the folder– an administrator, or even someone you let use your computer temporarily… like a nosey girlfriend who just keeps trying to go through your stuff when you go out of town. Even though you trust her with the keys to your place and the password to your computer so she can work on her report, she abuses the privilege and takes the first opportunity she can to snoop through your personal stuff… hypothetically speaking.

Enter the Master Password.

Firefox’s Master Password is just a password for a list of passwords. It essentially encrypts the key used to decrypt the saved passwords. This has the effect of adding security to Firefox’s option to “show” passwords as well as protecting against someone copying the signon*.txt and key3.db files.

Enabling this is easy:

1) In Firefox, go to Tools->Options and make sure the “Security” category is active
2) Check the “use a master password” option
3) It’ll ask you for a new password, so enter a good one that she someone is unlikely to guess
4) Click “OK” and exit the Options menu

Now, if someone tries to “Show passwords” you, you’ll have the “Enter master password” defense.

Of course, the safe alternative is disabling the ability in the first place: Tools->Options->Security->Uncheck remember passwords for sites. Secure, but highly inconvenient since it is a very useful feature.

This entry was posted on Tuesday, May 5th, 2009 at 11:24 pm by Nick Staples and is filed under Tutorial Tuesday. You can follow any responses to this entry through the RSS 2.0 feed. Both comments and pings are currently closed.