Join the AMA (Ask Me Anything) with the Firefox leadership team to celebrate Firefox 20th anniversary and discuss Firefox’s future on Mozilla Connect. Mark your calendar on Thursday, November 14, 18:00 - 20:00 UTC!

This site will have limited functionality while we undergo maintenance to improve your experience. If an article doesn't solve your issue and you want to ask a question, we have our support community waiting to help you at @FirefoxSupport on Twitter and/r/firefox on Reddit.

Search Support

Avoid support scams. We will never ask you to call or text a phone number or share personal information. Please report suspicious activity using the “Report Abuse” option.

Learn More

How secure is the Firefox master password feature? How long would it take someone to discover your password using a "password recovery" tool? What is being done to improve the security of the master password feature to make it truly secure?

  • 1 reply
  • 1 has this problem
  • 8 views
  • Last reply by cor-el

more options

If you do a search for "firefox master password recovery", you'll find a large number of links to software that will "recover" the master password, effectively defeating this security. I know that in the past, these have been pretty quick to use, but a recent search resulted in one that uses a brute force method, so it appears that you have improved on the security. If a brute force method is required, is it possible to use some method of encryption that would be so slow as to make this technique infeasible?

If you do a search for "firefox master password recovery", you'll find a large number of links to software that will "recover" the master password, effectively defeating this security. I know that in the past, these have been pretty quick to use, but a recent search resulted in one that uses a brute force method, so it appears that you have improved on the security. If a brute force method is required, is it possible to use some method of encryption that would be so slow as to make this technique infeasible?

All Replies (1)

more options

If you use a weak master password that can easily be constructed via a dictionary look up then it doesn't matter how long that password is.

If you want to make it difficult then use a MP that contains uppercase and lowercase characters (e.g. a-z, A-Z) and have digits (0-9) and punctuation characters and symbols (`~!@#$%&*()-_=+[]{}\;:'",.<>/?) and the length should at least be 8, but better use at least 12.

Never use words that can be found or constructed via a dictionary look up, even if there are numbers added or some characters have a different case.

See also http://en.wikipedia.org/wiki/Password_strength


The names and passwords are encrypted with a Triple-DES key that is stored in key3.db and a master password adds an additional level to that encryption.
If you do not use a master password then having access to key3.db and signons.sqlite is sufficient to have access to the encrypted names and passwords.
Make sure that you remember that master password or else all your passwords are lost.

See http://en.wikipedia.org/wiki/Triple_DES - TripleDES (CBC mode)

Modified by cor-el