Ko tenda hembiapoite sa’ivéta oñemba’apokuévo hese hembiapo porãve hag̃ua. Peteĩ jehaipyre nomoĩporãiramo ne apañuái ha eporanduséramo, roguerekohína ore nepytyvõ rekoha ikatútava ndeykeko @FirefoxSupport Twitter-pe ha avei /r/firefox Reddit-pe.

Eheka Pytyvõha

Emboyke pytyvõha apovai. Ndorojeruremo’ãi ehenói térã eñe’ẽmondóvo pumbyrýpe ha emoherakuãvo marandu nemba’etéva. Emombe’u tembiapo imarãkuaáva ko “Marandu iñañáva” rupive.

Kuaave

Role of Master Password vs Sync account password

  • 3 Mbohovái
  • 3 oguereko ko apañuãi
  • 1 Hecha
  • Mbohovái ipaháva John99

more options

I went through documentation on GitHub for Sync Protocol as well as other similar questions. I got basic understanding of how Sync security works. But still I would like experts to confirm this.

1. Master password is only used to encrypt data on local computer. 2. Sync account password is used for encrypting data before sending it to Mozilla servers. 3. Data on Mozilla servers is meaning less unless you know the Sync account password. 4. Mozilla does not store Sync account password anywhere. But instead they use hash/digest comparison method(or a similar method) to make sure that entered password is correct.

Could anyone please confirm above points?

One additional related question I have is, 1. Even if I do not set master password, I see that data is logins.json is encrypted. How this encryption is achieved?

I went through documentation on GitHub for Sync Protocol as well as other similar questions. I got basic understanding of how Sync security works. But still I would like experts to confirm this. 1. Master password is only used to encrypt data on local computer. 2. Sync account password is used for encrypting data before sending it to Mozilla servers. 3. Data on Mozilla servers is meaning less unless you know the Sync account password. 4. Mozilla does not store Sync account password anywhere. But instead they use hash/digest comparison method(or a similar method) to make sure that entered password is correct. Could anyone please confirm above points? One additional related question I have is, 1. Even if I do not set master password, I see that data is logins.json is encrypted. How this encryption is achieved?

Moambuepyre raghu.sodha rupive

Ñemoĩporã poravopyre

Hi

Thank you for your questions. As far as I am aware, all of the statements you make are true. In respect of your additional question, I recommend you have a read of this article.

I hope this helps, but if not, please come back here and we can look into this further for you.

Emoñe’ẽ ko mbohavái ejeregua reheve 👍 2

Opaite Mbohovái (3)

more options

Ñemoĩporã poravopyre

Hi

Thank you for your questions. As far as I am aware, all of the statements you make are true. In respect of your additional question, I recommend you have a read of this article.

I hope this helps, but if not, please come back here and we can look into this further for you.

more options

Thanks Seburo.

I went through article. It does not mention how logins.json data is encrypted when master password is not set. But anyway, it is appropriate/wise to assume that when master password is not set all your passwords are in plain text.

Thanks Seburo and Mozilla.

more options

The point is if a master password is not set anyone with access to your Firefox may obtain the logins as simply as you can. Plus anyone with access to the computer and Firefox profile also has all those logins available.

I suspect the encryption of the logins within Firefox even when a Master Password is in use not very secure but unfortunately I do not recall where I saw that mentioned. (Probably in relation to Sync & Master password bugs) If you wish to obtain further information try the Mozilla forums, and if you do post there maybe let us have the link so we may follow the post